Systematic Classification Excellence Through Impact Analysis
Open Source Intelligence Platform Classification Framework
📋 Document Owner: CEO | 📄 Version: 1.1 | 📅 Last Updated: 2026-02-25 (UTC)
🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-05-25
| Document | Focus | Description | Documentation Link |
|---|---|---|---|
| Architecture | 🏛️ Architecture | C4 model showing current system structure | View Source |
| Future Architecture | 🏛️ Architecture | C4 model showing future system structure | View Source |
| Mindmaps | 🧠 Concept | Current system component relationships | View Source |
| Future Mindmaps | 🧠 Concept | Future capability evolution | View Source |
| SWOT Analysis | 💼 Business | Current strategic assessment | View Source |
| Future SWOT Analysis | 💼 Business | Future strategic opportunities | View Source |
| Data Model | 📊 Data | Current data structures and relationships | View Source |
| Future Data Model | 📊 Data | Enhanced European Parliament data architecture | View Source |
| Flowcharts | 🔄 Process | Current data processing workflows | View Source |
| Future Flowcharts | 🔄 Process | Enhanced AI-driven workflows | View Source |
| State Diagrams | 🔄 Behavior | Current system state transitions | View Source |
| Future State Diagrams | 🔄 Behavior | Enhanced adaptive state transitions | View Source |
| Security Architecture | 🛡️ Security | Current security implementation | View Source |
| Future Security Architecture | 🛡️ Security | Security enhancement roadmap | View Source |
| Threat Model | 🎯 Security | STRIDE threat analysis | View Source |
| Classification | 🏷️ Governance | CIA classification & BCP | View Source |
| CRA Assessment | 🛡️ Compliance | Cyber Resilience Act | View Source |
| Workflows | ⚙️ DevOps | CI/CD documentation | View Source |
| Future Workflows | 🚀 DevOps | Planned CI/CD enhancements | View Source |
| Business Continuity Plan | 🔄 Resilience | Recovery planning | View Source |
| Financial Security Plan | 💰 Financial | Cost & security analysis | View Source |
| End-of-Life Strategy | 📦 Lifecycle | Technology EOL planning | View Source |
| Unit Test Plan | 🧪 Testing | Unit testing strategy | View Source |
| E2E Test Plan | 🔍 Testing | End-to-end testing | View Source |
| Performance Testing | ⚡ Performance | Performance benchmarks | View Source |
| Security Policy | 🔒 Security | Vulnerability reporting & security policy | View Source |
EU Parliament Monitor's classification framework demonstrates how systematic impact analysis enables security excellence and informed decision-making for open source intelligence platforms. This comprehensive classification serves as the foundation for threat modeling, risk assessment, and business continuity planning.
This document provides structured classification across confidentiality, integrity, availability, recovery objectives, and business impact dimensions. It establishes the baseline for security control selection and incident response prioritization.
Our transparent classification approach showcases methodical risk assessment aligned with Hack23 ISMS Classification Framework, enabling evidence-based security decision-making.
— James Pether Sörling, CEO/Founder
This document outlines the classification framework and business impact analysis for EU Parliament Monitor, a static website generator creating multi-language news about European Parliament activities.
The following decision tree helps determine the appropriate classification level for EU Parliament Monitor data:
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#0D47A1',
'lineColor': '#1565C0',
'secondaryColor': '#4CAF50',
'tertiaryColor': '#FF9800'
}
}
}%%
flowchart TD
START[📊 Data Received/Created] --> EP_CHECK{🏛️ European Parliament<br/>Open Data Source?}
EP_CHECK -->|✅ Yes| PII_CHECK{👤 Contains non-public or<br/>sensitive personal data?}
EP_CHECK -->|❌ No| REVIEW[🔍 Manual Review Required]
PII_CHECK -->|❌ No| ACCESS_CHECK{🔐 Requires Access<br/>Control?}
PII_CHECK -->|✅ Yes| HIGH_CONF[🔴 High Confidentiality<br/>(Non-public/sensitive PII)<br/>Not Applicable to EP Monitor]
ACCESS_CHECK -->|❌ No| ACCURACY_CHECK{✅ Accuracy<br/>Critical?}
ACCESS_CHECK -->|✅ Yes| INTERNAL[🟡 Internal Classification<br/>Not Applicable to EP Monitor]
ACCURACY_CHECK -->|✅ Yes| PUBLIC_MED[🟢 PUBLIC Confidentiality<br/>🟡 MEDIUM Integrity<br/>✅ Current EP Monitor Status]
ACCURACY_CHECK -->|❌ No| PUBLIC_LOW[🟢 PUBLIC Confidentiality<br/>🟢 LOW Integrity<br/>Not Typical for EP Monitor]
PUBLIC_MED --> AVAIL_CHECK{⏱️ 24-hour Outage<br/>Acceptable?}
AVAIL_CHECK -->|✅ Yes| FINAL[✅ Final Classification:<br/>📊 Confidentiality: PUBLIC<br/>✅ Integrity: MEDIUM<br/>⏱️ Availability: MEDIUM<br/>🚨 RTO: 24 hours<br/>🔄 RPO: 1 day]
AVAIL_CHECK -->|❌ No| HIGH_AVAIL[⚡ High Availability Required<br/>Not Current EP Monitor Design]
classDef start fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
classDef decision fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
classDef success fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
classDef warning fill:#FFC107,stroke:#FFA000,stroke-width:2px,color:#000000
classDef critical fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#ffffff
classDef final fill:#7B1FA2,stroke:#4A148C,stroke-width:3px,color:#ffffff
class START start
class EP_CHECK,PII_CHECK,ACCESS_CHECK,ACCURACY_CHECK,AVAIL_CHECK decision
class PUBLIC_MED,FINAL success
class PUBLIC_LOW,INTERNAL warning
class HIGH_CONF,HIGH_AVAIL critical
class REVIEW final
Decision Tree Explanation:
- European Parliament Data Check: All EP Monitor data originates from official EP open data APIs
- PII Check: MEP names and roles are publicly available personal data from official European Parliament open data sources. Processing is limited to transparency and journalistic purposes and relies on GDPR Article 6(1)(f) (legitimate interests) and applicable Article 85 freedom-of-expression/journalistic exemptions; no special category data is processed.
- Access Control Check: No authentication or authorization required for public transparency platform
- Accuracy Check: News accuracy is critical for democratic transparency and public trust
- Availability Check: 24-hour outages acceptable given daily update schedule and non-critical nature
EU Parliament Monitor is classified as:
| Dimension | Level | Badge | Rationale |
|---|---|---|---|
| 🔒 Confidentiality | Public (Level 1) |  |
All data from European Parliament open data sources, no private information, publicly accessible content |
| ✅ Integrity | Medium (Level 2) |  |
News accuracy critical for democratic transparency, incorrect information could mislead public opinion |
| ⏱️ Availability | Medium (Level 2) |  |
Daily updates expected, 24-hour outages acceptable, not mission-critical infrastructure |
| 🚨 RTO | 24 hours | -lightgreen?style=for-the-badge&logo=clock&logoColor=white){kind=icon} |
Manual workflow trigger available, automated recovery via GitHub Actions |
| 🔄 RPO | 1 day | -lightblue?style=for-the-badge&logo=database&logoColor=white){kind=icon} |
Daily generation schedule, previous day's content acceptable loss |
| 🏷️ Privacy | Personal (public-source) | -orange?style=for-the-badge&logo=user-shield&logoColor=white){kind=icon} |
Publicly available personal data of elected representatives (MEP names/roles); no special categories; GDPR applies with reduced risk |
Project Type: 
| Impact Category | Financial | Operational | Reputational | Regulatory |
|---|---|---|---|---|
| 🔒 Confidentiality Breach |  |
 |
 |
 |
| ✅ Integrity Compromise |  |
 |
 |
 |
| ⏱️ Availability Loss | |
 |
 |
|
Justification:
- All source data from European Parliament's public open data APIs
- Generated news articles publicly accessible via AWS S3 + Amazon CloudFront
- No authentication, authorization, or access controls required
- Only publicly available MEP personal data processed (no non-public personal data, no special category data, no end-user tracking data)
- Designed for maximum transparency and public accessibility
Impact if Compromised: Negligible - Data already public
Justification:
- News accuracy critical for democratic transparency and informed citizenry
- Incorrect information could mislead public opinion on parliamentary activities
- Content influences understanding of European democratic processes
- Manual content validation currently required
- Reputation depends on factual accuracy and reliability
Impact if Compromised: Moderate - Public misinformation, trust erosion
Justification:
- Daily content generation expected by users
- 24-hour outages acceptable (not mission-critical)
- Manual workflow trigger available as backup
- GitHub Actions provides automated recovery
- Static site architecture inherently resilient
Impact if Compromised: Low - Delayed content, limited operational impact
EU Parliament Monitor Context: Low-cost infrastructure (AWS S3 + CloudFront), volunteer-driven, no revenue generation.
Major revenue impact (>$10K daily) — N/A for volunteer project
Substantial penalties ($5K-10K daily) — N/A for volunteer project
Regulatory fines ($1K-5K daily) — N/A for volunteer project
Incident response costs ($500-1K daily) — Low probability
Minimal impact (<$500 daily) — Current exposure level
No financial consequences — Most scenarios
EU Parliament Monitor Context: Static site generator, GitHub Actions automation, manual fallback available.
EU Parliament Monitor Context: Transparency-focused intelligence platform, volunteer open source project.
EU Parliament Monitor Context: Public open data, no PII, GDPR compliant by design, transparency-aligned.
The following diagram illustrates the four-level information classification hierarchy used across Hack23 projects, with EU Parliament Monitor positioned at the Public level:
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#0D47A1',
'lineColor': '#1565C0',
'secondaryColor': '#4CAF50',
'tertiaryColor': '#FF9800'
}
}
}%%
graph TB
subgraph HIERARCHY["🏗️ Hack23 Information Classification Hierarchy"]
RESTRICTED[🔴 RESTRICTED<br/>Highest Protection<br/>Zero-trust architecture<br/>HSM, MFA, biometrics]
CONFIDENTIAL[🟠 CONFIDENTIAL<br/>Strong Protection<br/>Encryption, RBAC, monitoring]
INTERNAL[🟡 INTERNAL<br/>Standard Protection<br/>Access control, authentication]
PUBLIC[🟢 PUBLIC<br/>Minimal Protection<br/>TLS in transit only]
end
RESTRICTED -.->|Lower sensitivity| CONFIDENTIAL
CONFIDENTIAL -.->|Lower sensitivity| INTERNAL
INTERNAL -.->|Lower sensitivity| PUBLIC
subgraph EP_MONITOR["🏛️ EU Parliament Monitor"]
EP_DATA[📊 European Parliament Data<br/>✅ Public open data APIs<br/>✅ Only public-identifiable data (MEP names/roles)<br/>✅ No non-public or special category data]
EP_NEWS[📰 Generated News Articles<br/>✅ 14 languages<br/>✅ Public AWS S3 + CloudFront<br/>✅ No access control]
end
PUBLIC -.->|Applied to| EP_MONITOR
classDef critical fill:#D32F2F,stroke:#B71C1C,stroke-width:3px,color:#ffffff
classDef high fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
classDef medium fill:#FFC107,stroke:#FFA000,stroke-width:2px,color:#000000
classDef low fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
classDef epmonitor fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
class RESTRICTED critical
class CONFIDENTIAL high
class INTERNAL medium
class PUBLIC low
class EP_DATA,EP_NEWS epmonitor
Hierarchy Characteristics:
| Level | Protection Controls | EU Parliament Monitor Applicability |
|---|---|---|
| 🔴 Restricted | HSM, zero-trust, biometric auth, air-gapped systems | ❌ Not applicable - no sensitive data |
| 🟠 Confidential | Strong encryption (AES-256), RBAC, SIEM monitoring | ❌ Not applicable - transparency platform |
| 🟡 Internal | Standard access control, authentication, basic encryption | ❌ Not applicable - public by design |
| 🟢 Public | TLS 1.2+ (TLS 1.3 where supported) in transit, public repository, open source | ✅ CURRENT LEVEL - maximum transparency |
EU Parliament Monitor Classification: Public (Level 1)
| Level | Badge | Description | EU Parliament Monitor Context |
|---|---|---|---|
| Extreme |  |
National security, quantum encryption | Not applicable |
| Very High |  |
Zero-trust, advanced threat protection | Not applicable |
| High |  |
Strong encryption, MFA, monitoring | Not applicable |
| Moderate |  |
Standard encryption, role-based access | Not applicable |
| Low |  |
Basic protection, standard auth | Not applicable |
| Public | |
No confidentiality requirements | ✅ CURRENT LEVEL |
Controls Required:
- ✅ TLS 1.2+ (TLS 1.3 where supported) for data in transit (Amazon CloudFront, API calls)
- ✅ Public content by design
- ✅ No authentication/authorization systems needed
- ✅ Transparent, open source codebase
EU Parliament Monitor Classification: Moderate (Level 2)
| Level | Badge | Description | EU Parliament Monitor Context |
|---|---|---|---|
| Critical |  |
Real-time validation, immutable logs | Future aspiration (Q4 2026) |
| High |  |
Automated validation, digital signatures | Future phase (Q3 2026) |
| Moderate | |
Standard validation, checksums | ✅ CURRENT LEVEL |
| Low |  |
Basic validation, manual verification | Not appropriate |
| Minimal |  |
Best-effort basis only | Not acceptable |
Controls Required:
- ✅ Git version control (change tracking, audit trail)
- ✅ Git object integrity via commit hashes (no automated commit signing)
- ✅ Immutable Git history
- ✅ Automated testing (unit tests 82%, E2E tests)
- ✅ Code review via pull requests
- ⏳ Content validation (manual, future automation planned Q3 2026)
- ⏳ Fact-checking integration (planned Q4 2026)
EU Parliament Monitor Classification: Moderate (Level 2)
| Level | Badge | Description | EU Parliament Monitor Context |
|---|---|---|---|
| Mission Critical |  |
99.99% uptime, instant failover | Not applicable |
| High |  |
99.9% uptime, automated failover | Future phase |
| Moderate | |
99.5% uptime, manual failover | ✅ CURRENT LEVEL |
| Standard |  |
99% uptime, basic redundancy | Minimum acceptable |
| Best Effort |  |
No uptime guarantees | Not acceptable |
Controls Required:
- ✅ AWS S3 + Amazon CloudFront infrastructure (99.9% uptime SLA)
- ✅ Static site architecture (no server-side execution)
- ✅ Amazon CloudFront global CDN distribution
- ✅ Manual workflow trigger (backup recovery)
- ✅ GitHub Actions automated recovery
- ✅ Multiple repository copies (Git distributed architecture)
EU Parliament Monitor Classification: Personal (public-source, public-official context)
| Level | Badge | Description | GDPR Context | EU Parliament Monitor Context |
|---|---|---|---|---|
| Special Category |  |
Art. 9 data | Explicit consent required | Not applicable |
| Personal Identifier |  |
Direct identifiers | GDPR Art. 4(1) | Not applicable |
| Personal |  |
Personal data | GDPR compliance required | ✅ CURRENT STATUS — publicly available MEP names/roles from EP open data |
| Pseudonymized |  |
De-identified with key | GDPR Art. 4(5) | Not applicable |
| Anonymized |  |
Irreversibly de-identified | Outside GDPR scope | Not applicable |
| NA (Not Applicable) |  |
Non-personal data | No GDPR obligations | Not applicable |
GDPR Compliance Status:
- ✅ Publicly available personal data of elected representatives only (no special categories, no behavioural profiling)
- ✅ No cookies, tracking, or analytics
- ✅ No user accounts or authentication
- ✅ Public European Parliament data only
- ✅ GDPR by design (data protection by design and by default)
- ✅ Data subject rights handled case-by-case subject to applicable freedom-of-expression and public-interest exemptions
EU Parliament Monitor Classification: Medium (24 hours)
| Level | Badge | Time Window | EU Parliament Monitor Context |
|---|---|---|---|
| Instant | -red?style=for-the-badge&logo=clock&logoColor=white){kind=icon} |
< 5 minutes | Not required |
| Critical | -orange?style=for-the-badge&logo=clock&logoColor=white){kind=icon} |
5-60 minutes | Not required |
| High | -yellow?style=for-the-badge&logo=clock&logoColor=white){kind=icon} |
1-4 hours | Not required |
| Medium | -lightgreen?style=for-the-badge&logo=clock&logoColor=white){kind=icon} |
4-24 hours | ✅ CURRENT TARGET |
| Low | -lightblue?style=for-the-badge&logo=clock&logoColor=white){kind=icon} |
24-72 hours | Acceptable fallback |
| Standard | -lightgrey?style=for-the-badge&logo=clock&logoColor=black){kind=icon} |
> 72 hours | Not acceptable |
Recovery Strategy:
- ✅ GitHub Actions automated workflow retry
- ✅ Manual workflow trigger via GitHub UI
- ✅ Static site resilience (existing content remains available)
- ✅ AWS S3 + CloudFront redundancy (no single point of failure)
- ✅ Daily generation schedule provides natural recovery window
Acceptable Downtime: 24 hours (content generation can be delayed without critical impact)
EU Parliament Monitor Classification: Daily (24 hours)
| Level | Badge | Data Loss Window | EU Parliament Monitor Context |
|---|---|---|---|
| Zero Loss | -red?style=for-the-badge&logo=database&logoColor=white){kind=icon} |
< 1 minute | Not required |
| Near Real-time | -orange?style=for-the-badge&logo=database&logoColor=white){kind=icon} |
1-15 minutes | Not required |
| Minimal | -yellow?style=for-the-badge&logo=database&logoColor=black){kind=icon} |
15-60 minutes | Not required |
| Hourly | -lightgreen?style=for-the-badge&logo=database&logoColor=white){kind=icon} |
1-4 hours | Future aspiration |
| Daily | -lightblue?style=for-the-badge&logo=database&logoColor=white){kind=icon} |
4-24 hours | ✅ CURRENT ACCEPTABLE |
| Extended | -lightgrey?style=for-the-badge&logo=database&logoColor=black){kind=icon} |
> 24 hours | Not preferred |
Data Loss Strategy:
- ✅ Daily content generation schedule
- ✅ Git version control (all content versioned)
- ✅ GitHub repository backup (distributed copies)
- ✅ Previous day's content acceptable loss
- ✅ EP API data remains available for regeneration
Acceptable Data Loss: Up to 24 hours of generated content (regenerable from source)
Primary Type:
Static site generator for news intelligence
Secondary Types:
Open source CLI tooling
European Parliament data aggregation
Characteristics:
- Zero production dependencies
- GitHub Actions automation
- Static HTML output
- Multi-language support (14 languages)
- MCP (Model Context Protocol) integration
- LLM-powered content generation
Security Level: Moderate (static architecture, public data, integrity-focused)
The following table provides explicit classifications for various types of European Parliament data processed by EU Parliament Monitor:
| Data Type | Source | Confidentiality | Integrity | Availability | Rationale |
|---|---|---|---|---|---|
| 🏛️ MEP Personal Data (Names, roles, contact) | EP Open Data API | 🟢 Public | 🟡 Medium | 🟡 Medium | Public officials, accuracy matters for democratic transparency |
| 📋 Plenary Session Records | EP Open Data API | 🟢 Public | 🟡 Medium | 🟡 Medium | Official parliamentary proceedings, historical accuracy critical |
| 📊 Committee Documents | EP Open Data API | 🟢 Public | 🟡 Medium | 🟢 Low | Committee work publicly accessible, moderate accuracy needs |
| 🗳️ Voting Records | EP Open Data API | 🟢 Public | 🔴 High | 🟡 Medium | Democratic accountability requires highest integrity |
| 📜 Legislative Documents | EP Open Data API | 🟢 Public | 🟡 Medium | 🟡 Medium | Legal texts require accuracy but publicly available |
| 📰 Generated News Articles (14 languages) | EP Monitor (Generated) | 🟢 Public | 🟡 Medium | 🟢 Low | Transparency content, accuracy important but not mission-critical |
| 📊 Session Summaries | EP Monitor (Processed) | 🟢 Public | 🟡 Medium | 🟢 Low | Aggregated insights, public transparency focus |
| 🌐 Multi-Language Translations | EP Monitor (Generated) | 🟢 Public | 🟡 Medium | 🟢 Low | Linguistic accuracy important for international audience |
Why Everything is Public (Level 1) Confidentiality:
- ✅ All data originates from European Parliament's official open data sources
- ✅ EU transparency regulations mandate public access to parliamentary proceedings
- ✅ No authentication, authorization, or access control mechanisms needed
- ✅ Personal data protection (GDPR) requirements apply, but risk and required controls are reduced because MEP information is public official data from open sources
- ✅ Designed for maximum democratic transparency and citizen engagement
Why Integrity Varies (Low to High):
- 🗳️ High Integrity: Voting records require absolute accuracy for democratic accountability
- 🟡 Medium Integrity: Most content requires accuracy but corrections are acceptable
- 🟢 Low Integrity: Supplementary content where errors have minimal impact
Why Availability is Medium/Low:
- Daily content generation schedule provides natural recovery window
- 24-hour outages acceptable - not mission-critical democratic infrastructure
- Manual workflow triggers available as backup
- AWS S3 with CloudFront provides inherent resilience via global CDN distribution
Language Coverage: 14 languages (en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh)
Uniform Classification Across Languages:
| Attribute | Classification | Applies to All 14 Languages |
|---|---|---|
| 🔒 Confidentiality | 🟢 Public | ✅ Yes - all language variants equally public |
| ✅ Integrity | 🟡 Medium | ✅ Yes - translation accuracy equally important |
| ⏱️ Availability | 🟡 Medium | ✅ Yes - same 24-hour RTO applies to all |
| 🚨 RTO | 24 hours | ✅ Yes - same recovery objective for all |
| 🔄 RPO | 1 day | ✅ Yes - daily regeneration schedule universal |
Language-Specific Considerations:
- Translation quality monitored but not cryptographically verified
- All languages generated simultaneously in single workflow
- No language-based access restrictions or geographic fencing
- Cultural context maintained across translations
- No special protection for any specific language variant
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#0D47A1',
'lineColor': '#1565C0',
'secondaryColor': '#4CAF50',
'tertiaryColor': '#FF9800'
}
}
}%%
flowchart TB
subgraph CREATION["📥 Data Creation/Collection"]
EP_API[🏛️ EP Open Data API Call]
MCP_FETCH[🔌 MCP Server Data Fetch]
API_RESPONSE[📊 JSON API Response]
end
subgraph PROCESSING["⚙️ Data Processing"]
PARSE[🔍 Parse EP Data]
TRANSFORM[🔄 Transform to News Format]
LLM_GEN[🤖 LLM Content Generation]
TRANSLATE[🌐 14-Language Translation]
end
subgraph STORAGE["💾 Data Storage"]
GIT_COMMIT[📝 Git Commit]
REPO_STORE[📦 GitHub Repository]
PAGES_DEPLOY[🚀 AWS S3 + CloudFront Deployment]
end
subgraph PUBLICATION["📢 Publication"]
HTML_SERVE[🌐 Static HTML Serving]
CDN_CACHE[⚡ Amazon CloudFront CDN Cache]
PUBLIC_ACCESS[👥 Public Access]
end
subgraph ARCHIVING["📚 Archiving"]
GIT_HISTORY[🕰️ Git Version History]
IMMUTABLE[🔒 Immutable Git Objects]
LONG_TERM[📦 Long-Term Preservation]
end
subgraph DISPOSAL["🗑️ Data Disposal"]
RETENTION[⏰ Policy-Based Retention]
AUTO_ARCHIVE[🤖 Automatic Archiving]
NO_DELETION[❌ No Permanent Deletion<br/>Public record preservation]
end
EP_API --> MCP_FETCH
MCP_FETCH --> API_RESPONSE
API_RESPONSE --> PARSE
PARSE --> TRANSFORM
TRANSFORM --> LLM_GEN
LLM_GEN --> TRANSLATE
TRANSLATE --> GIT_COMMIT
GIT_COMMIT --> REPO_STORE
REPO_STORE --> PAGES_DEPLOY
PAGES_DEPLOY --> HTML_SERVE
HTML_SERVE --> CDN_CACHE
CDN_CACHE --> PUBLIC_ACCESS
REPO_STORE --> GIT_HISTORY
GIT_HISTORY --> IMMUTABLE
IMMUTABLE --> LONG_TERM
PUBLIC_ACCESS --> RETENTION
RETENTION --> AUTO_ARCHIVE
AUTO_ARCHIVE --> NO_DELETION
classDef creation fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
classDef processing fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
classDef storage fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
classDef publication fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#ffffff
classDef archiving fill:#1565C0,stroke:#0D47A1,stroke-width:2px,color:#ffffff
classDef disposal fill:#9E9E9E,stroke:#616161,stroke-width:2px,color:#ffffff
class EP_API,MCP_FETCH,API_RESPONSE creation
class PARSE,TRANSFORM,LLM_GEN,TRANSLATE processing
class GIT_COMMIT,REPO_STORE,PAGES_DEPLOY storage
class HTML_SERVE,CDN_CACHE,PUBLIC_ACCESS publication
class GIT_HISTORY,IMMUTABLE,LONG_TERM archiving
class RETENTION,AUTO_ARCHIVE,NO_DELETION disposal
Duration: Daily (automated via GitHub Actions)
Classification Impact: Public data from inception
Controls:
- ✅ TLS 1.2+ (TLS 1.3 where supported) for API communications
- ✅ European Parliament MCP Server runs as a local stdio child process (no network exposure; explicit authentication planned for future remote deployment)
- ✅ API rate limiting and error handling
- ✅ Automated retry mechanisms
Data Volumes:
- ~50-100 MEP records per execution
- ~10-20 plenary sessions per month
- ~5-10 committee meetings per day
- JSON payloads: 10-50 KB per request
Duration: 15-30 minutes per execution
Classification Impact: Public input → Public output (no classification change)
Controls:
- ✅ Input validation and sanitization
- ✅ Content safety checks (no malicious content generation)
- ✅ Translation quality validation
- ✅ Git repository integrity via commit hashes (no automated commit signing)
Processing Steps:
- Parse EP API JSON responses
- Transform to structured news format
- LLM-powered content generation (news articles)
- Multi-language translation (14 languages)
- HTML template rendering
Duration: Permanent (Git version control)
Classification Impact: Public storage with integrity controls
Controls:
- ✅ Git version control (immutable history)
- ✅ GitHub repository backup (distributed copies)
- ✅ Git object integrity via commit hashes (no automated commit signing)
- ✅ Branch protection rules
Storage Characteristics:
- Location: GitHub cloud infrastructure
- Redundancy: Git distributed architecture (multiple clones)
- Backup: GitHub's infrastructure backups + Git clones
- Retention: Indefinite (public record preservation)
Duration: Real-time (CDN caching)
Classification Impact: Public access with availability controls
Controls:
- ✅ AWS S3 + CloudFront HTTPS (TLS 1.2+, TLS 1.3 where supported)
- ✅ Amazon CloudFront (AWS Shield Standard for DDoS protection)
- ✅ Static site architecture (no server-side vulnerabilities)
- ✅ No authentication required (public by design)
Availability:
- SLA: AWS S3 (Standard) and Amazon CloudFront, each with 99.9% availability SLA
- CDN: Global edge caching
- RTO: 24 hours (manual workflow trigger)
- RPO: 1 day (daily generation acceptable)
Duration: Automatic (Git version history)
Classification Impact: Public historical record
Controls:
- ✅ Immutable Git objects (Git object hashing, SHA-1 by default; SHA-256 if enabled)
- ✅ Permanent version history
- ✅ No content deletion (transparency principle)
- ✅ Historical audit trail
Archive Characteristics:
- All content changes tracked via Git commits
- Complete historical record of all articles
- Tamper-evident via Git cryptographic hashing
- No retroactive content modification
Duration: N/A (no permanent deletion)
Classification Impact: Public record preservation
Policy:
- ❌ No permanent deletion of published content
- ✅ Content remains in Git history indefinitely
- ✅ Transparency principle: public record preservation
- ✅ Compliance: EU transparency regulations
Rationale for No Deletion:
- Democratic transparency requires historical preservation
- Public officials' parliamentary activities are permanent public record
- Git architecture supports immutable history
- DSR rights to erasure are subject to applicable exemptions (public record, freedom of expression, journalistic/archival purpose)
The following matrix defines specific handling procedures for each classification level across all data operations:
| Handling Procedure | 🔴 Restricted | 🟠 Confidential | 🟡 Internal | 🟢 Public | EU Parliament Monitor |
|---|---|---|---|---|---|
| 💾 Storage | HSM, encrypted vaults, air-gapped | AES-256 encryption, encrypted databases | Access-controlled storage, basic encryption | Standard storage, version control | ✅ Git (public), GitHub (cloud) |
| 📡 Transmission | Quantum-safe, VPN + TLS 1.3 | TLS 1.3, certificate pinning | TLS 1.2+, standard HTTPS | TLS 1.2+ (prefer 1.3) | ✅ TLS 1.2+, TLS 1.3 where supported (CloudFront CDN, EP API) |
| 🤝 Sharing | Need-to-know, zero-trust, MFA | Role-based, MFA, audit logging | Authenticated access, logging | Public access, no restrictions | ✅ Public AWS S3 + CloudFront, no auth |
| 🗑️ Disposal | Cryptographic erasure, physical destruction, witnessed | Multi-pass overwrite (DoD 5220.22-M), secure deletion | Standard deletion, recycle bin clearing | Standard deletion or retention | ✅ Git history preservation (no deletion) |
| 🔐 Access Control | Biometric + MFA, zero-trust | RBAC + MFA, privileged access management | Username/password + RBAC | No access control required | ✅ No access control (public by design) |
| 🔒 Encryption | AES-256 + HSM, quantum-resistant | AES-256, key rotation, KMS | AES-128/256, managed keys | TLS in transit only | ✅ TLS 1.2+, TLS 1.3 where supported (CloudFront) |
| 📋 Labeling | "RESTRICTED - AUTHORIZED ONLY" | "CONFIDENTIAL - INTERNAL USE" | "INTERNAL - STAFF ONLY" | "PUBLIC" or no label | ✅ PUBLIC (implied, no labels needed) |
| 📊 Logging | Immutable audit logs, SIEM, real-time alerting | Comprehensive logging, SIEM integration | Standard logging, periodic review | Basic logging or none | ✅ Git commits (immutable), GitHub audit |
| 🔄 Backup | Air-gapped, encrypted, off-site vaults | Encrypted backups, off-site replication | Standard backups, encryption | Git version control, cloud backups | ✅ Git (distributed), GitHub backups |
| 📱 Mobile Devices | Prohibited or heavily restricted | MDM, encryption, remote wipe | MDM, basic encryption | No restrictions | ✅ Public access from any device |
| ☁️ Cloud Storage | Prohibited or private cloud only | Encrypted, dedicated tenants | Encrypted, shared cloud | Public cloud, standard controls | ✅ AWS S3 (public cloud), CloudFront (CDN) |
| 🖨️ Printing | Prohibited or secure printers only | Watermarked, secure disposal | Standard printers, secure disposal | Unrestricted | ✅ N/A (web-only content) |
🟢 Public Classification Handling:
✅ Storage:
- Public GitHub repository (no encryption required)
- Git version control for integrity
- Distributed architecture (multiple clones)
✅ Transmission:
- TLS 1.2+, TLS 1.3 where supported (Amazon CloudFront)
- European Parliament API calls over HTTPS
- No VPN or additional encryption needed
✅ Sharing:
- Public AWS S3 + CloudFront (open access)
- No authentication, authorization, or access control
- Maximum transparency and accessibility
✅ Disposal:
- No permanent deletion (public record preservation)
- Git history maintained indefinitely
- Compliance with transparency principles
✅ Access Control:
- None required (public by design)
- No user accounts or login
- Open source codebase
✅ Encryption:
- TLS 1.2+, TLS 1.3 where supported (in transit only)
- No encryption at rest required (public data)
- Amazon CloudFront HTTPS enforced
✅ Logging:
- Git commit history (immutable)
- GitHub Actions workflow logs
- No PII logging (no user data)
✅ Backup:
- Git distributed architecture (natural backups)
- GitHub infrastructure backups
- Multiple repository clones
EU Parliament Monitor's classification framework aligns with multiple international standards and best practices:
| ISO 27001 Control | Control Name | EU Parliament Monitor Implementation | Compliance Status |
|---|---|---|---|
| A.5.12 | Classification of information | ✅ Documented classification framework (this document) | ✅ COMPLIANT |
| A.5.13 | Labelling of information | ✅ Badges and metadata in all documents | ✅ COMPLIANT |
| A.5.14 | Information transfer | ✅ TLS 1.2+, TLS 1.3 where supported for all transmissions, EP API over HTTPS | ✅ COMPLIANT |
| A.8.10 | Information deletion | ✅ Git history preservation policy (no deletion) | ✅ COMPLIANT |
| A.8.11 | Data masking | ⚪ N/A (no sensitive data) | ⚪ N/A |
| A.8.12 | Data leakage prevention | ⚪ N/A (public data by design) | ⚪ N/A |
| A.5.10 | Acceptable use of information | ✅ Public domain, open source licensing | ✅ COMPLIANT |
| NIST CSF 2.0 Category | Function | EU Parliament Monitor Implementation | Maturity Level |
|---|---|---|---|
| ID.AM-5 | Classify data | ✅ Complete classification framework (Public/Medium/Medium) | 🟢 Level 4 - Adaptive |
| PR.DS-1 | Protect data at rest | ✅ Git version control, GitHub backups | 🟢 Level 3 - Informed |
| PR.DS-2 | Protect data in transit | ✅ TLS 1.2+, TLS 1.3 where supported (CloudFront CDN, S3, EP API) | 🟢 Level 4 - Adaptive |
| PR.DS-5 | Protections against data leaks | ⚪ N/A (public data, no leaks possible) | ⚪ N/A |
| PR.DS-6 | Integrity checking | ✅ Git cryptographic hashing (SHA-1 by default), commit hash verification | 🟢 Level 3 - Informed |
| PR.DS-7 | Separate dev/test/prod | ✅ GitHub Actions environments, branch protection | 🟢 Level 3 - Informed |
| PR.DS-8 | Integrity verification | ✅ Automated testing (82% coverage), Git object hashing | 🟢 Level 3 - Informed |
NIST CSF 2.0 Maturity Levels:
- 🔴 Level 1 - Partial: Ad hoc, reactive
- 🟠 Level 2 - Risk-Informed: Aware but not systematic
- 🟡 Level 3 - Repeatable: Documented and followed
- 🟢 Level 4 - Adaptive: Continuous improvement
| CIS Control | Control Name | EU Parliament Monitor Implementation | Implementation Status |
|---|---|---|---|
| 3.3 | Configure data access control lists | ⚪ N/A (public access, no ACLs) | ⚪ N/A |
| 3.6 | Encrypt data on end-user devices | ⚪ N/A (static web content, no user devices) | ⚪ N/A |
| 3.11 | Encrypt sensitive data at rest | ⚪ N/A (public data, no encryption required) | ⚪ N/A |
| 3.12 | Segment data processing | ✅ GitHub Actions isolation, ephemeral runners | ✅ IMPLEMENTED |
| 3.14 | Log sensitive data access | ✅ Git commit logs, GitHub audit logs | ✅ IMPLEMENTED |
| 11.4 | Maintain isolated backups | ✅ Git distributed architecture, GitHub backups | ✅ IMPLEMENTED |
| 11.5 | Test data recovery | ✅ Manual workflow trigger tested, Git clone recovery | ✅ IMPLEMENTED |
| GDPR Article | Requirement | EU Parliament Monitor Implementation | Compliance Status |
|---|---|---|---|
| Art. 5(1)(a) | Lawfulness, fairness, transparency | ✅ Public data, open source, maximum transparency | ✅ COMPLIANT |
| Art. 5(1)(b) | Purpose limitation | ✅ Democratic transparency only, defined purpose | ✅ COMPLIANT |
| Art. 5(1)(c) | Data minimization | ✅ European Parliament open data about public functions only; strict data minimization; no special categories | ✅ COMPLIANT |
| Art. 5(1)(d) | Accuracy | ✅ Git version control, automated testing, integrity focus | ✅ COMPLIANT |
| Art. 5(1)(e) | Storage limitation | ✅ Indefinite retention justified (public record preservation) | ✅ COMPLIANT |
| Art. 5(1)(f) | Integrity and confidentiality | ✅ TLS 1.2+, Git integrity, GitHub security | ✅ COMPLIANT |
| Art. 25 | Data protection by design | ✅ Architecture limited to EP open data; no behavioural tracking or unnecessary identifiers | ✅ COMPLIANT |
| Art. 32 | Security of processing | ✅ TLS 1.2+, Git integrity, GitHub Actions security | ✅ COMPLIANT |
GDPR Summary:
- ✅ Public-source institutional data only - Processes European Parliament open data about elected representatives and institutional activities; no special categories or behavioural profiling
- ✅ MEP data is personal data of public officials - Processed under GDPR on the basis of legitimate/public interest with appropriate safeguards and transparency
- ✅ Data subject rights supported - DSRs (access, rectification, objection, etc.) are handled case-by-case, subject to applicable legal exemptions (e.g. freedom of expression and information, public interest, archival/record-keeping)
- ✅ No cookies, tracking, or analytics - Privacy by design
- ✅ Transparency by default - Open source, public repository, public content
| CRA Requirement | EU Parliament Monitor Implementation | Compliance Status |
|---|---|---|
| Security by design | ✅ Static architecture, no server-side execution, public data | ✅ COMPLIANT |
| Vulnerability handling | ✅ Dependabot, SonarCloud SAST, GitHub security advisories | ✅ COMPLIANT |
| Security updates | ✅ Automated dependency updates, GitHub Actions CI/CD | ✅ COMPLIANT |
| Incident reporting | ✅ GitHub security advisories, public issue tracking | ✅ COMPLIANT |
| Documentation | ✅ Complete security architecture documentation | ✅ COMPLIANT |
| NIS2 Requirement | EU Parliament Monitor Implementation | Compliance Status |
|---|---|---|
| Art. 21 — Security measures | ✅ Static architecture, TLS 1.2+ (TLS 1.3 where supported), GitHub security controls | ✅ COMPLIANT |
| Art. 21(2)(a) — Incident handling | ✅ GitHub Actions alerting, manual recovery procedures | ✅ COMPLIANT |
| Art. 21(2)(b) — Business continuity | ✅ BCP documented, RTO 24h, RPO 1 day, static resilience | ✅ COMPLIANT |
| Art. 21(2)(e) — Supply chain security | ✅ SHA-pinned GitHub Actions, Dependabot, SBOM generation | ✅ COMPLIANT |
| Art. 21(2)(i) — Vulnerability disclosure | ✅ GitHub security advisories, SECURITY.md, public issue tracking | ✅ COMPLIANT |
| Art. 23 — Incident reporting | ✅ GitHub security advisories, transparent public reporting | ✅ COMPLIANT |
| Framework | Overall Compliance | Key Strengths | Areas for Improvement |
|---|---|---|---|
| ISO 27001:2022 | ✅ Fully Compliant | Classification framework, TLS 1.2+, Git integrity | Content validation automation (Q3 2026) |
| NIST CSF 2.0 | 🟢 Level 3-4 Maturity | Data protection, integrity verification, separation | Real-time monitoring (future phase) |
| CIS Controls v8.1 | ✅ Implemented | Backup testing, logging, data segmentation | N/A (public data simplifies many controls) |
| GDPR | ✅ Fully Compliant | Public-source institutional data, minimization, transparency, DSR support with applicable exemptions | N/A (no special categories or behavioural profiling) |
| NIS2 | ✅ Compliant | Security measures, BCP, supply chain, vulnerability disclosure | N/A (minimal attack surface simplifies many obligations) |
| EU CRA | ✅ Compliant | Security by design, vulnerability management | Continuous improvement |
| Document | Purpose | Link |
|---|---|---|
| 🏷️ Classification Framework | This document | Current document |
| 🎯 Threat Model | Risk and threat analysis | THREAT_MODEL.md |
| 🔐 Security Architecture | Current security controls | SECURITY_ARCHITECTURE.md |
| 🚀 Future Security Architecture | Security roadmap | FUTURE_SECURITY_ARCHITECTURE.md |
| 📊 Data Model | Data structures | DATA_MODEL.md |
| 📈 Flowchart | Process flows | FLOWCHART.md |
| 📐 Architecture | System design | ARCHITECTURE.md |
| 🛡️ ISMS Classification Policy | Framework reference | Hack23 ISMS |
The following flowchart illustrates the complete data handling lifecycle for EU Parliament Monitor, from data receipt to archiving or disposal:
%%{
init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#1565C0',
'primaryTextColor': '#0D47A1',
'lineColor': '#1565C0',
'secondaryColor': '#4CAF50',
'tertiaryColor': '#FF9800'
}
}
}%%
flowchart TB
START[📥 RECEIVE<br/>European Parliament Data] --> CLASSIFY[🏷️ CLASSIFY<br/>Determine Classification Level]
CLASSIFY --> CLASSIFY_DECISION{Classification?}
CLASSIFY_DECISION -->|Public| LABEL_PUBLIC[🟢 LABEL<br/>Public Data Badge]
CLASSIFY_DECISION -->|Internal| LABEL_INTERNAL[🟡 LABEL<br/>Internal Badge<br/>N/A for EP Monitor]
CLASSIFY_DECISION -->|Confidential| LABEL_CONF[🟠 LABEL<br/>Confidential Badge<br/>N/A for EP Monitor]
CLASSIFY_DECISION -->|Restricted| LABEL_REST[🔴 LABEL<br/>Restricted Badge<br/>N/A for EP Monitor]
LABEL_PUBLIC --> HANDLE_PUBLIC[🤝 HANDLE<br/>Public Handling Procedures]
LABEL_INTERNAL --> HANDLE_INTERNAL[🔐 HANDLE<br/>Access Control Required]
LABEL_CONF --> HANDLE_CONF[🔒 HANDLE<br/>Encryption + RBAC Required]
LABEL_REST --> HANDLE_REST[🛡️ HANDLE<br/>Maximum Protection Required]
HANDLE_PUBLIC --> PROCESS[⚙️ PROCESS<br/>LLM Content Generation<br/>14-Language Translation]
HANDLE_INTERNAL --> PROCESS
HANDLE_CONF --> PROCESS
HANDLE_REST --> PROCESS
PROCESS --> STORE[💾 STORE<br/>Git Version Control<br/>GitHub Repository]
STORE --> DEPLOY[🚀 DEPLOY<br/>AWS S3<br/>CloudFront CDN]
DEPLOY --> MONITOR[📊 MONITOR<br/>Access Logs<br/>Git Commit History]
MONITOR --> REVIEW[🔍 REVIEW<br/>Quarterly Classification Review<br/>Security Assessment]
REVIEW --> REVIEW_DECISION{Review Result?}
REVIEW_DECISION -->|Reclassify| CLASSIFY
REVIEW_DECISION -->|Maintain| CONTINUE[✅ CONTINUE<br/>Maintain Current Classification]
REVIEW_DECISION -->|Archive| ARCHIVE[📚 ARCHIVE<br/>Git History Preservation<br/>Immutable Records]
REVIEW_DECISION -->|Dispose| DISPOSE[🗑️ DISPOSE<br/>No Deletion for Public Data<br/>Transparency Principle]
CONTINUE --> MONITOR
ARCHIVE --> LONG_TERM[🕰️ LONG-TERM STORAGE<br/>Permanent Git History]
DISPOSE --> PRESERVE[🏛️ PRESERVE<br/>Public Record Retention<br/>Democratic Transparency]
classDef start fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
classDef classify fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
classDef label fill:#FFC107,stroke:#FFA000,stroke-width:2px,color:#000000
classDef handle fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
classDef process fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#ffffff
classDef store fill:#1565C0,stroke:#0D47A1,stroke-width:2px,color:#ffffff
classDef decision fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
classDef archive fill:#8D6E63,stroke:#5D4037,stroke-width:2px,color:#ffffff
classDef critical fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#ffffff
classDef success fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
class START start
class CLASSIFY,REVIEW classify
class CLASSIFY_DECISION,REVIEW_DECISION decision
class LABEL_PUBLIC,LABEL_INTERNAL,LABEL_CONF,LABEL_REST label
class HANDLE_PUBLIC,HANDLE_INTERNAL,HANDLE_CONF,HANDLE_REST handle
class PROCESS,DEPLOY,MONITOR process
class STORE store
class ARCHIVE,LONG_TERM,PRESERVE archive
class DISPOSE,CONTINUE success
Duration: Continuous (daily automated execution)
Responsibility: GitHub Actions workflow, European Parliament MCP Server
Actions:
- Fetch data from European Parliament Open Data API
- Validate API responses (schema validation)
- Log data receipt in Git commit metadata
Duration: Automated (classification rules applied)
Responsibility: Security Architect (policy), automated systems (execution)
Classification Criteria:
- ✅ Data source: European Parliament Open Data (Public by default)
- ✅ Content type: Parliamentary proceedings, MEP information (Public)
- ✅ Accuracy requirements: Democratic transparency (Medium Integrity)
- ✅ Availability needs: Daily updates (Medium Availability)
Classification Result: 🟢 Public / 🟡 Medium Integrity / 🟡 Medium Availability
Duration: Automatic (badge generation)
Responsibility: Documentation templates, markdown badges
Labeling Methods:
- GitHub shields.io badges in documentation
- Classification metadata in file headers
- Git commit messages with classification context
EU Parliament Monitor Labeling:
- ✅ Public badge:
[] - ✅ Medium Integrity:
[] - ✅ Medium Availability:
[]
Duration: Throughout data lifecycle
Responsibility: Automated systems, security controls
Public Data Handling:
- ✅ TLS 1.2+, TLS 1.3 where supported (TLS 1.3 preferred) for all transmissions
- ✅ No access control required (public by design)
- ✅ Git version control for integrity
- ✅ No encryption at rest (public data)
- ✅ Standard GitHub Actions security
Duration: 15-30 minutes per execution
Responsibility: LLM content generation, translation services
Processing Steps:
- Parse European Parliament data
- Generate news articles (LLM-powered)
- Translate to 14 languages
- Render HTML templates
- Validate output quality
Duration: Permanent (Git version control)
Responsibility: Git, GitHub repository
Storage Controls:
- ✅ Git cryptographic hashing (integrity)
- ✅ Distributed architecture (redundancy)
- ✅ Git object integrity via commit hashes (no automated commit signing)
- ✅ Branch protection (change control)
Duration: Minutes (AWS S3 + CloudFront deployment)
Responsibility: GitHub Actions, AWS S3, Amazon CloudFront
Deployment Controls:
- ✅ Automated deployment pipeline
- ✅ TLS 1.2+, TLS 1.3 where supported (HTTPS only)
- ✅ CDN caching (availability)
- ✅ No authentication (public access)
Duration: Continuous
Responsibility: GitHub Actions, Git logs, AWS CloudFront, AWS S3, AWS CloudTrail
Monitoring Methods:
- ✅ Git commit history (all changes tracked)
- ✅ GitHub Actions workflow logs
- ✅ AWS CloudFront access logs / real-time logs
- ✅ AWS S3 server access logs / CloudTrail S3 data events
- ✅ Dependabot security alerts
Duration: Quarterly (every 3 months)
Responsibility: Security Architect, CEO approval
Review Triggers:
- Scheduled: Quarterly reviews (every 3 months)
- Event-driven: Major feature changes, security incidents
- Compliance: Regulatory requirement updates (GDPR, NIS2, EU CRA)
Review Outcomes:
- Reclassify: Change classification level (return to Stage 2)
- Maintain: Continue with current classification (return to Stage 8)
- Archive: Move to long-term preservation (Stage 10)
- Dispose: Evaluate for deletion (Stage 11 - N/A for EP Monitor)
Duration: Permanent
Responsibility: Git version history, GitHub repository
Archiving Method:
- ✅ Immutable Git history (Git object hashing, SHA-1 by default; SHA-256 if enabled)
- ✅ No retroactive content modification
- ✅ Complete audit trail preservation
- ✅ Compliance with transparency principles
Duration: N/A (no permanent deletion)
Responsibility: Security Architect policy decision
EU Parliament Monitor Policy:
- ❌ No permanent deletion of public content
- ✅ Transparency principle: public record preservation
- ✅ Democratic accountability: historical record maintained
- ✅ Git architecture: immutable history by design
Initial Classification Decisions:
-
Confidentiality = Public (Level 1)
- Rationale: European Parliament open data, public by design
- Decision maker: Security Architect
- Review date: 2026-05-17
-
Integrity = Medium (Level 2)
- Rationale: News accuracy critical for democratic transparency
- Decision maker: Security Architect
- Review date: 2026-05-17
- Enhancement plan: Automated fact-checking (Q4 2026)
-
Availability = Medium (Level 2)
- Rationale: Daily updates expected, 24h outage acceptable
- Decision maker: Security Architect
- Review date: 2026-05-17
-
RTO = 24 hours
- Rationale: Manual trigger available, not mission-critical
- Decision maker: Security Architect
- Review date: 2026-05-17
-
RPO = 1 day
- Rationale: Daily generation schedule, regenerable content
- Decision maker: Security Architect
- Review date: 2026-05-17
-
Privacy = Personal (public-source)
- Rationale: Publicly available MEP personal data from EP open data; GDPR applies with reduced risk due to public-official context; no special categories; DSRs handled with applicable exemptions
- Decision maker: Security Architect & Legal
- Review date: 2026-05-17
- Quarterly Reviews: Every 3 months
- Next Review: 2026-05-17
- Triggered Reviews: Upon architecture changes, incidents, or threat landscape shifts
- Major feature additions (e.g., user authentication, API)
- Security incidents affecting classification
- Regulatory requirement changes (GDPR, NIS2, EU CRA)
- Business model changes (e.g., premium features)
- Threat landscape evolution
- Document Owner: CEO (James Pether Sörling)
- Classification Authority: Security Architect
- Review Approver: CEO
- ISMS Alignment: Hack23 ISMS Classification Framework
| Classification Level | Required Controls | EU Parliament Monitor Implementation |
|---|---|---|
| Confidentiality: Public | TLS for transit, public access | ✅ AWS S3 + CloudFront HTTPS, open repository |
| Integrity: Medium | Version control, code review, testing | ✅ Git, PR workflow, 82% test coverage |
| Availability: Medium | Monitoring, manual recovery, CDN | ✅ GitHub Actions monitoring, AWS S3 + CloudFront CDN |
| RTO: 24 hours | Automated recovery, manual backup | ✅ Workflow retry, manual trigger |
| RPO: 1 day | Daily backups, version control | ✅ Git commits, GitHub repository |
| Privacy: Personal (public-source) | GDPR compliance, minimization, DSR handling | ✅ Public-source MEP data only, no special categories, DSRs handled with applicable exemptions |
This classification scheme aligns with ISO 27001:2022 Annex A information classification controls:
| ISO 27001:2022 Control | Classification Requirement | EU Parliament Monitor Implementation | Status |
|---|---|---|---|
| 5.12 Classification of information | Define classification levels | C (Public/Internal/Confidential/Restricted) scheme | ✅ |
| 5.13 Labelling of information | Apply labels to assets | Classification badges in all ISMS documents | ✅ |
| 5.14 Information transfer | Classification-based transfer rules | HTTPS-only, TLS 1.3 for all transfers | ✅ |
| 5.9 Inventory of information and other assets | Asset register with classifications | SBOM (technical assets) + documentation inventory | ✅ |
| 8.12 Data leakage prevention | Prevent unauthorized disclosure | No PII collected, public data only | ✅ |
| 5.33 Protection of records | Records retention and protection | Git immutable history, GitHub repository | ✅ |
ISO 27001:2022 Classification Compliance: ✅ All 6 applicable controls implemented
| Subcategory | Description | Classification Alignment | Status |
|---|---|---|---|
| GV.RM-01 | Risk management objectives established | Public C, Moderate I, Standard A drives risk appetite | ✅ |
| GV.RM-02 | Risk appetite established and communicated | Classification CLASSIFICATION.md public documentation | ✅ |
| ID.AM-05 | Resources prioritized by sensitivity | Public-only data = lowest priority tier | ✅ |
| ID.AM-07 | Inventories of data managed | No PII inventory needed (public data only) | ✅ |
| ID.RA-02 | Threat intelligence received and analyzed | THREAT_MODEL.md cross-referenced with classification | ✅ |
| PR.DS-01 | Data at rest protected per classification | Public data — Git repository integrity | ✅ |
| PR.DS-02 | Data in transit protected per classification | TLS 1.3 HTTPS consistent with all classification levels | ✅ |
| CIS Control | Safeguard | Classification-Based Implementation | IG Level | Status |
|---|---|---|---|---|
| 3.1 | Establish data management process | Public data classification = minimal handling requirements | IG1 | ✅ |
| 3.2 | Establish data inventory | SBOM + documentation inventory | IG1 | ✅ |
| 3.3 | Configure data access control | Public = no access controls; workflow access = least privilege | IG1 | ✅ |
| 3.7 | Establish data classification scheme | Confidentiality (C), Integrity (I), Availability (A) triad | IG2 | ✅ |
| 3.12 | Segment data processing | EP data processing isolated in GitHub Actions (ephemeral) | IG2 | ✅ |
| ISMS-PUBLIC Policy | Classification Relevance | Alignment Evidence |
|---|---|---|
| 📋 Information Security Policy | Overall security governance framework | Public classification consistent with open-source mandate |
| 🏷️ Classification Policy | Classification scheme definition | CIA triad ratings derived from this policy |
| 🔑 Access Control Policy | Access decisions based on classification | Public content = no authentication; workflow = least privilege |
| 🔒 Cryptography Policy | Encryption requirements by classification | TLS 1.3 minimum consistent with public data classification |
| 📊 Risk Assessment Methodology | Risk scoring tied to classification | RTO/RPO derived from Availability classification |
| 🌐 ISMS Transparency Plan | Public disclosure aligned with C=Public | All ISMS docs public per transparency commitment |
| 📝 Open Source Policy | Open source classification requirements | Apache-2.0 license, public repository, open data |
| 🤖 AI Policy | AI-generated content classification | News content generated by AI scripts = public classification maintained |
Classification Status: ✅ COMPLETE
Threat Modeling Status: Ready to proceed (THREAT_MODEL.md)
ISMS Compliance: ✅ Aligned with Hack23 ISMS Classification Framework
This classification framework serves as the foundation for threat modeling, risk assessment, and security control selection. All security decisions must align with these classification levels.
— EU Parliament Monitor Security Team