🏷️ EU Parliament Monitor Classification Framework

April 8, 2026 Β· View on GitHub

Hack23 Logo

🏷️ EU Parliament Monitor β€” Classification & Business Continuity

Systematic Classification Excellence Through Impact Analysis
Open Source Intelligence Platform Classification Framework

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 1.1 | πŸ“… Last Updated: 2026-02-25 (UTC)
πŸ”„ Review Cycle: Quarterly | ⏰ Next Review: 2026-05-25


πŸ“š Architecture Documentation Map

DocumentFocusDescriptionDocumentation Link
ArchitectureπŸ›οΈ ArchitectureC4 model showing current system structureView Source
Future ArchitectureπŸ›οΈ ArchitectureC4 model showing future system structureView Source
Mindmaps🧠 ConceptCurrent system component relationshipsView Source
Future Mindmaps🧠 ConceptFuture capability evolutionView Source
SWOT AnalysisπŸ’Ό BusinessCurrent strategic assessmentView Source
Future SWOT AnalysisπŸ’Ό BusinessFuture strategic opportunitiesView Source
Data ModelπŸ“Š DataCurrent data structures and relationshipsView Source
Future Data ModelπŸ“Š DataEnhanced European Parliament data architectureView Source
FlowchartsπŸ”„ ProcessCurrent data processing workflowsView Source
Future FlowchartsπŸ”„ ProcessEnhanced AI-driven workflowsView Source
State DiagramsπŸ”„ BehaviorCurrent system state transitionsView Source
Future State DiagramsπŸ”„ BehaviorEnhanced adaptive state transitionsView Source
Security ArchitectureπŸ›‘οΈ SecurityCurrent security implementationView Source
Future Security ArchitectureπŸ›‘οΈ SecuritySecurity enhancement roadmapView Source
Threat Model🎯 SecuritySTRIDE threat analysisView Source
Classification🏷️ GovernanceCIA classification & BCPView Source
CRA AssessmentπŸ›‘οΈ ComplianceCyber Resilience ActView Source
Workflowsβš™οΈ DevOpsCI/CD documentationView Source
Future WorkflowsπŸš€ DevOpsPlanned CI/CD enhancementsView Source
Business Continuity PlanπŸ”„ ResilienceRecovery planningView Source
Financial Security PlanπŸ’° FinancialCost & security analysisView Source
End-of-Life StrategyπŸ“¦ LifecycleTechnology EOL planningView Source
Unit Test PlanπŸ§ͺ TestingUnit testing strategyView Source
E2E Test PlanπŸ” TestingEnd-to-end testingView Source
Performance Testing⚑ PerformancePerformance benchmarksView Source
Security PolicyπŸ”’ SecurityVulnerability reporting & security policyView Source

🎯 Purpose Statement

EU Parliament Monitor's classification framework demonstrates how systematic impact analysis enables security excellence and informed decision-making for open source intelligence platforms. This comprehensive classification serves as the foundation for threat modeling, risk assessment, and business continuity planning.

This document provides structured classification across confidentiality, integrity, availability, recovery objectives, and business impact dimensions. It establishes the baseline for security control selection and incident response prioritization.

Our transparent classification approach showcases methodical risk assessment aligned with Hack23 ISMS Classification Framework, enabling evidence-based security decision-making.

β€” James Pether SΓΆrling, CEO/Founder


🏷️ EU Parliament Monitor Classification Framework

This document outlines the classification framework and business impact analysis for EU Parliament Monitor, a static website generator creating multi-language news about European Parliament activities.


πŸ“Š Classification Decision Tree

The following decision tree helps determine the appropriate classification level for EU Parliament Monitor data:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#0D47A1',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
flowchart TD
    START["πŸ“Š Data Received/Created"] --> EP_CHECK{"πŸ›οΈ European Parliament\nOpen Data Source?"}
    
    EP_CHECK -->|"βœ… Yes"| PII_CHECK{"πŸ‘€ Contains non-public or\nsensitive personal data?"}
    EP_CHECK -->|"❌ No"| REVIEW["πŸ” Manual Review Required"]
    
    PII_CHECK -->|"❌ No"| ACCESS_CHECK{"πŸ” Requires Access\nControl?"}
    PII_CHECK -->|"βœ… Yes"| HIGH_CONF["πŸ”΄ High Confidentiality\nNon-public/sensitive PII\nNot Applicable to EP Monitor"]
    
    ACCESS_CHECK -->|"❌ No"| ACCURACY_CHECK{"βœ… Accuracy\nCritical?"}
    ACCESS_CHECK -->|"βœ… Yes"| INTERNAL["🟑 Internal Classification\nNot Applicable to EP Monitor"]
    
    ACCURACY_CHECK -->|"βœ… Yes"| PUBLIC_MED["🟒 PUBLIC Confidentiality\n🟑 MEDIUM Integrity\nβœ… Current EP Monitor Status"]
    ACCURACY_CHECK -->|"❌ No"| PUBLIC_LOW["🟒 PUBLIC Confidentiality\n🟒 LOW Integrity\nNot Typical for EP Monitor"]
    
    PUBLIC_MED --> AVAIL_CHECK{"⏱️ 24-hour Outage\nAcceptable?"}
    
    AVAIL_CHECK -->|"βœ… Yes"| FINAL["βœ… Final Classification:\nπŸ“Š Confidentiality: PUBLIC\nβœ… Integrity: MEDIUM\n⏱️ Availability: MEDIUM\n🚨 RTO: 24 hours\nπŸ”„ RPO: 1 day"]
    AVAIL_CHECK -->|"❌ No"| HIGH_AVAIL["⚑ High Availability Required\nNot Current EP Monitor Design"]
    
    classDef start fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
    classDef decision fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
    classDef success fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
    classDef warning fill:#FFC107,stroke:#FFA000,stroke-width:2px,color:#000000
    classDef critical fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#ffffff
    classDef final fill:#7B1FA2,stroke:#4A148C,stroke-width:3px,color:#ffffff
    
    class START start
    class EP_CHECK,PII_CHECK,ACCESS_CHECK,ACCURACY_CHECK,AVAIL_CHECK decision
    class PUBLIC_MED,FINAL success
    class PUBLIC_LOW,INTERNAL warning
    class HIGH_CONF,HIGH_AVAIL critical
    class REVIEW final

Decision Tree Explanation:

  1. European Parliament Data Check: All EP Monitor data originates from official EP open data APIs
  2. PII Check: MEP names and roles are publicly available personal data from official European Parliament open data sources. Processing is limited to transparency and journalistic purposes and relies on GDPR Article 6(1)(f) (legitimate interests) and applicable Article 85 freedom-of-expression/journalistic exemptions; no special category data is processed.
  3. Access Control Check: No authentication or authorization required for public transparency platform
  4. Accuracy Check: News accuracy is critical for democratic transparency and public trust
  5. Availability Check: 24-hour outages acceptable given daily update schedule and non-critical nature

πŸ“Š System Classification Summary

EU Parliament Monitor is classified as:

DimensionLevelBadgeRationale
πŸ”’ ConfidentialityPublic (Level 1)PublicAll data from European Parliament open data sources, no private information, publicly accessible content
βœ… IntegrityMedium (Level 2)ModerateNews accuracy critical for democratic transparency, incorrect information could mislead public opinion
⏱️ AvailabilityMedium (Level 2)ModerateDaily updates expected, 24-hour outages acceptable, not mission-critical infrastructure
🚨 RTO24 hoursMediumManual workflow trigger available, automated recovery via GitHub Actions
πŸ”„ RPO1 dayDailyDaily generation schedule, previous day's content acceptable loss
🏷️ PrivacyPersonal (public-source)PersonalPublicly available personal data of elected representatives (MEP names/roles); no special categories; GDPR applies with reduced risk

Project Type: Content Creation Static site generator for European Parliament intelligence


πŸ’° Business Impact Analysis Matrix

EU Parliament Monitor Specific Impact Assessment

Impact CategoryFinancialOperationalReputationalRegulatory
πŸ”’ Confidentiality BreachNegligibleNegligibleNegligibleNegligible
βœ… Integrity CompromiseLow - <$500 dailyModerate - Content correctionModerate - Trust erosionLow - Transparency concerns
⏱️ Availability LossLow - <$500 dailyLow - Manual triggerLow - Limited visibilityNegligible

Classification Rationale

πŸ”’ Confidentiality: Public (Level 1)

Justification:

  • All source data from European Parliament's public open data APIs
  • Generated news articles publicly accessible via AWS S3 + Amazon CloudFront
  • No authentication, authorization, or access controls required
  • Only publicly available MEP personal data processed (no non-public personal data, no special category data, no end-user tracking data)
  • Designed for maximum transparency and public accessibility

Impact if Compromised: Negligible - Data already public

βœ… Integrity: Medium (Level 2)

Justification:

  • News accuracy critical for democratic transparency and informed citizenry
  • Incorrect information could mislead public opinion on parliamentary activities
  • Content influences understanding of European democratic processes
  • Manual content validation currently required
  • Reputation depends on factual accuracy and reliability

Impact if Compromised: Moderate - Public misinformation, trust erosion

⏱️ Availability: Medium (Level 2)

Justification:

  • Daily content generation expected by users
  • 24-hour outages acceptable (not mission-critical)
  • Manual workflow trigger available as backup
  • GitHub Actions provides automated recovery
  • Static site architecture inherently resilient

Impact if Compromised: Low - Delayed content, limited operational impact


πŸ“ˆ Impact Level Definitions

πŸ’Έ Financial Impact Levels {#financial-impact-levels}

EU Parliament Monitor Context: Low-cost infrastructure (AWS S3 + CloudFront), volunteer-driven, no revenue generation.

  • Critical Major revenue impact (>$10K daily) β€” N/A for volunteer project
  • Very High Substantial penalties ($5K-10K daily) β€” N/A for volunteer project
  • High Regulatory fines ($1K-5K daily) β€” N/A for volunteer project
  • Moderate Incident response costs ($500-1K daily) β€” Low probability
  • Low Minimal impact (<$500 daily) β€” Current exposure level
  • Negligible No financial consequences β€” Most scenarios

🏒 Operational Impact Levels {#operational-impact-levels}

EU Parliament Monitor Context: Static site generator, GitHub Actions automation, manual fallback available.

  • Critical Complete service outage β€” Low probability (AWS S3 + CloudFront redundancy)
  • High Major service degradation β€” Low probability (static architecture)
  • Moderate Partial service impact β€” Possible (workflow failures, content errors)
  • Low Minor inconvenience β€” Current exposure (delayed updates)
  • Negligible No operational impact β€” Most scenarios

🀝 Reputational Impact Levels {#reputational-impact-levels}

EU Parliament Monitor Context: Transparency-focused intelligence platform, volunteer open source project.

  • Critical International media coverage β€” Very low probability
  • High National coverage β€” Low probability
  • Moderate Industry attention β€” Possible (content accuracy issues)
  • Low Limited visibility β€” Current exposure (minor errors)
  • Negligible No reputational impact β€” Most scenarios

πŸ“œ Regulatory Impact Levels {#regulatory-impact-levels}

EU Parliament Monitor Context: Public open data, no PII, GDPR compliant by design, transparency-aligned.

  • Critical Criminal charges β€” Not applicable (no sensitive data)
  • Very High Major penalties β€” Not applicable (no sensitive data)
  • High Significant fines β€” Not applicable (no sensitive data)
  • Moderate Minor penalties β€” Very low probability
  • Low Warnings β€” Low probability (transparency concerns)
  • Negligible No regulatory implications β€” Current status

πŸ”’ Security Classification Framework

πŸ—οΈ Data Classification Hierarchy

The following diagram illustrates the four-level information classification hierarchy used across Hack23 projects, with EU Parliament Monitor positioned at the Public level:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#0D47A1',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
graph TB
    subgraph HIERARCHY["πŸ—οΈ Hack23 Information Classification Hierarchy"]
        RESTRICTED["πŸ”΄ RESTRICTED\nHighest Protection\nZero-trust architecture\nHSM, MFA, biometrics"]
        CONFIDENTIAL["🟠 CONFIDENTIAL\nStrong Protection\nEncryption, RBAC, monitoring"]
        INTERNAL["🟑 INTERNAL\nStandard Protection\nAccess control, authentication"]
        PUBLIC["🟒 PUBLIC\nMinimal Protection\nTLS in transit only"]
    end
    
    RESTRICTED -.->|Lower sensitivity| CONFIDENTIAL
    CONFIDENTIAL -.->|Lower sensitivity| INTERNAL
    INTERNAL -.->|Lower sensitivity| PUBLIC
    
    subgraph EP_MONITOR["πŸ›οΈ EU Parliament Monitor"]
        EP_DATA["πŸ“Š European Parliament Data\nβœ… Public open data APIs\nβœ… Only public-identifiable data\nβœ… No non-public or special category data"]
        EP_NEWS["πŸ“° Generated News Articles\nβœ… 14 languages\nβœ… Public AWS S3 + CloudFront\nβœ… No access control"]
    end
    
    PUBLIC -.->|Applied to| EP_MONITOR
    
    classDef critical fill:#D32F2F,stroke:#B71C1C,stroke-width:3px,color:#ffffff
    classDef high fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
    classDef medium fill:#FFC107,stroke:#FFA000,stroke-width:2px,color:#000000
    classDef low fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
    classDef epmonitor fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
    
    class RESTRICTED critical
    class CONFIDENTIAL high
    class INTERNAL medium
    class PUBLIC low
    class EP_DATA,EP_NEWS epmonitor

Hierarchy Characteristics:

LevelProtection ControlsEU Parliament Monitor Applicability
πŸ”΄ RestrictedHSM, zero-trust, biometric auth, air-gapped systems❌ Not applicable - no sensitive data
🟠 ConfidentialStrong encryption (AES-256), RBAC, SIEM monitoring❌ Not applicable - transparency platform
🟑 InternalStandard access control, authentication, basic encryption❌ Not applicable - public by design
🟒 PublicTLS 1.2+ (TLS 1.3 where supported) in transit, public repository, open sourceβœ… CURRENT LEVEL - maximum transparency

πŸ›‘οΈ Confidentiality Levels {#confidentiality-levels}

EU Parliament Monitor Classification: Public (Level 1)

LevelBadgeDescriptionEU Parliament Monitor Context
ExtremeExtremeNational security, quantum encryptionNot applicable
Very HighVery HighZero-trust, advanced threat protectionNot applicable
HighHighStrong encryption, MFA, monitoringNot applicable
ModerateModerateStandard encryption, role-based accessNot applicable
LowLowBasic protection, standard authNot applicable
PublicPublicNo confidentiality requirementsβœ… CURRENT LEVEL

Controls Required:

  • βœ… TLS 1.2+ (TLS 1.3 where supported) for data in transit (Amazon CloudFront, API calls)
  • βœ… Public content by design
  • βœ… No authentication/authorization systems needed
  • βœ… Transparent, open source codebase

βœ… Integrity Levels {#integrity-levels}

EU Parliament Monitor Classification: Moderate (Level 2)

LevelBadgeDescriptionEU Parliament Monitor Context
CriticalCriticalReal-time validation, immutable logsFuture aspiration (Q4 2026)
HighHighAutomated validation, digital signaturesFuture phase (Q3 2026)
ModerateModerateStandard validation, checksumsβœ… CURRENT LEVEL
LowLowBasic validation, manual verificationNot appropriate
MinimalMinimalBest-effort basis onlyNot acceptable

Controls Required:

  • βœ… Git version control (change tracking, audit trail)
  • βœ… Git object integrity via commit hashes (no automated commit signing)
  • βœ… Immutable Git history
  • βœ… Automated testing (unit tests 82%, E2E tests)
  • βœ… Code review via pull requests
  • ⏳ Content validation (manual, future automation planned Q3 2026)
  • ⏳ Fact-checking integration (planned Q4 2026)

⏱️ Availability Levels {#availability-levels}

EU Parliament Monitor Classification: Moderate (Level 2)

LevelBadgeDescriptionEU Parliament Monitor Context
Mission CriticalMission Critical99.99% uptime, instant failoverNot applicable
HighHigh99.9% uptime, automated failoverFuture phase
ModerateModerate99.5% uptime, manual failoverβœ… CURRENT LEVEL
StandardStandard99% uptime, basic redundancyMinimum acceptable
Best EffortBest EffortNo uptime guaranteesNot acceptable

Controls Required:

  • βœ… AWS S3 + Amazon CloudFront infrastructure (99.9% uptime SLA)
  • βœ… Static site architecture (no server-side execution)
  • βœ… Amazon CloudFront global CDN distribution
  • βœ… Manual workflow trigger (backup recovery)
  • βœ… GitHub Actions automated recovery
  • βœ… Multiple repository copies (Git distributed architecture)

🏷️ Privacy & PII Protection Levels {#privacy-levels}

EU Parliament Monitor Classification: Personal (public-source, public-official context)

LevelBadgeDescriptionGDPR ContextEU Parliament Monitor Context
Special CategorySpecial CategoryArt. 9 dataExplicit consent requiredNot applicable
Personal IdentifierPersonal IdentifierDirect identifiersGDPR Art. 4(1)Not applicable
PersonalPersonalPersonal dataGDPR compliance requiredβœ… CURRENT STATUS β€” publicly available MEP names/roles from EP open data
PseudonymizedPseudonymizedDe-identified with keyGDPR Art. 4(5)Not applicable
AnonymizedAnonymizedIrreversibly de-identifiedOutside GDPR scopeNot applicable
NA (Not Applicable)NANon-personal dataNo GDPR obligationsNot applicable

GDPR Compliance Status:

  • βœ… Publicly available personal data of elected representatives only (no special categories, no behavioural profiling)
  • βœ… No cookies, tracking, or analytics
  • βœ… No user accounts or authentication
  • βœ… Public European Parliament data only
  • βœ… GDPR by design (data protection by design and by default)
  • βœ… Data subject rights handled case-by-case subject to applicable freedom-of-expression and public-interest exemptions

⏱️ Recovery Time Classifications

🚨 RTO (Recovery Time Objective) {#rto-classifications}

EU Parliament Monitor Classification: Medium (24 hours)

LevelBadgeTime WindowEU Parliament Monitor Context
InstantInstant< 5 minutesNot required
CriticalCritical5-60 minutesNot required
HighHigh1-4 hoursNot required
MediumMedium4-24 hoursβœ… CURRENT TARGET
LowLow24-72 hoursAcceptable fallback
StandardStandard> 72 hoursNot acceptable

Recovery Strategy:

  • βœ… GitHub Actions automated workflow retry
  • βœ… Manual workflow trigger via GitHub UI
  • βœ… Static site resilience (existing content remains available)
  • βœ… AWS S3 + CloudFront redundancy (no single point of failure)
  • βœ… Daily generation schedule provides natural recovery window

Acceptable Downtime: 24 hours (content generation can be delayed without critical impact)

πŸ”„ RPO (Recovery Point Objective) {#rpo-classifications}

EU Parliament Monitor Classification: Daily (24 hours)

LevelBadgeData Loss WindowEU Parliament Monitor Context
Zero LossZero Loss< 1 minuteNot required
Near Real-timeNear Real-time1-15 minutesNot required
MinimalMinimal15-60 minutesNot required
HourlyHourly1-4 hoursFuture aspiration
DailyDaily4-24 hoursβœ… CURRENT ACCEPTABLE
ExtendedExtended> 24 hoursNot preferred

Data Loss Strategy:

  • βœ… Daily content generation schedule
  • βœ… Git version control (all content versioned)
  • βœ… GitHub repository backup (distributed copies)
  • βœ… Previous day's content acceptable loss
  • βœ… EP API data remains available for regeneration

Acceptable Data Loss: Up to 24 hours of generated content (regenerable from source)


🎯 Project Type Classifications {#project-type-classifications}

EU Parliament Monitor Project Classification

Primary Type:

  • Content Creation Static site generator for news intelligence

Secondary Types:

  • Development Tools Open source CLI tooling
  • Data Analytics European Parliament data aggregation

Characteristics:

  • Zero production dependencies
  • GitHub Actions automation
  • Static HTML output
  • Multi-language support (14 languages)
  • MCP (Model Context Protocol) integration
  • LLM-powered content generation

Security Level: Moderate (static architecture, public data, integrity-focused)


πŸ“š EU Parliament Data Classification Examples

Specific Data Type Classifications

The following table provides explicit classifications for various types of European Parliament data processed by EU Parliament Monitor:

Data TypeSourceConfidentialityIntegrityAvailabilityRationale
πŸ›οΈ MEP Personal Data (Names, roles, contact)EP Open Data API🟒 Public🟑 Medium🟑 MediumPublic officials, accuracy matters for democratic transparency
πŸ“‹ Plenary Session RecordsEP Open Data API🟒 Public🟑 Medium🟑 MediumOfficial parliamentary proceedings, historical accuracy critical
πŸ“Š Committee DocumentsEP Open Data API🟒 Public🟑 Medium🟒 LowCommittee work publicly accessible, moderate accuracy needs
πŸ—³οΈ Voting RecordsEP Open Data API🟒 PublicπŸ”΄ High🟑 MediumDemocratic accountability requires highest integrity
πŸ“œ Legislative DocumentsEP Open Data API🟒 Public🟑 Medium🟑 MediumLegal texts require accuracy but publicly available
πŸ“° Generated News Articles (14 languages)EP Monitor (Generated)🟒 Public🟑 Medium🟒 LowTransparency content, accuracy important but not mission-critical
πŸ“Š Session SummariesEP Monitor (Processed)🟒 Public🟑 Medium🟒 LowAggregated insights, public transparency focus
🌐 Multi-Language TranslationsEP Monitor (Generated)🟒 Public🟑 Medium🟒 LowLinguistic accuracy important for international audience

Data Classification Decision Factors

Why Everything is Public (Level 1) Confidentiality:

  • βœ… All data originates from European Parliament's official open data sources
  • βœ… EU transparency regulations mandate public access to parliamentary proceedings
  • βœ… No authentication, authorization, or access control mechanisms needed
  • βœ… Personal data protection (GDPR) requirements apply, but risk and required controls are reduced because MEP information is public official data from open sources
  • βœ… Designed for maximum democratic transparency and citizen engagement

Why Integrity Varies (Low to High):

  • πŸ—³οΈ High Integrity: Voting records require absolute accuracy for democratic accountability
  • 🟑 Medium Integrity: Most content requires accuracy but corrections are acceptable
  • 🟒 Low Integrity: Supplementary content where errors have minimal impact

Why Availability is Medium/Low:

  • Daily content generation schedule provides natural recovery window
  • 24-hour outages acceptable - not mission-critical democratic infrastructure
  • Manual workflow triggers available as backup
  • AWS S3 with CloudFront provides inherent resilience via global CDN distribution

Multi-Language Content Classification {#multi-language-classification}

Language Coverage: 14 languages (en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh)

Uniform Classification Across Languages:

AttributeClassificationApplies to All 14 Languages
πŸ”’ Confidentiality🟒 Publicβœ… Yes - all language variants equally public
βœ… Integrity🟑 Mediumβœ… Yes - translation accuracy equally important
⏱️ Availability🟑 Mediumβœ… Yes - same 24-hour RTO applies to all
🚨 RTO24 hoursβœ… Yes - same recovery objective for all
πŸ”„ RPO1 dayβœ… Yes - daily regeneration schedule universal

Language-Specific Considerations:

  • Translation quality monitored but not cryptographically verified
  • All languages generated simultaneously in single workflow
  • No language-based access restrictions or geographic fencing
  • Cultural context maintained across translations
  • No special protection for any specific language variant

πŸ“‹ Data Lifecycle Management

Complete Data Lifecycle for EU Parliament Monitor

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#0D47A1',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
flowchart TB
    subgraph CREATION["πŸ“₯ Data Creation/Collection"]
        EP_API[πŸ›οΈ EP Open Data API Call]
        MCP_FETCH[πŸ”Œ MCP Server Data Fetch]
        API_RESPONSE[πŸ“Š JSON API Response]
    end
    
    subgraph PROCESSING["βš™οΈ Data Processing"]
        PARSE[πŸ” Parse EP Data]
        TRANSFORM[πŸ”„ Transform to News Format]
        LLM_GEN[πŸ€– LLM Content Generation]
        TRANSLATE[🌐 14-Language Translation]
    end
    
    subgraph STORAGE["πŸ’Ύ Data Storage"]
        GIT_COMMIT[πŸ“ Git Commit]
        REPO_STORE[πŸ“¦ GitHub Repository]
        PAGES_DEPLOY[πŸš€ AWS S3 + CloudFront Deployment]
    end
    
    subgraph PUBLICATION["πŸ“’ Publication"]
        HTML_SERVE[🌐 Static HTML Serving]
        CDN_CACHE[⚑ Amazon CloudFront CDN Cache]
        PUBLIC_ACCESS[πŸ‘₯ Public Access]
    end
    
    subgraph ARCHIVING["πŸ“š Archiving"]
        GIT_HISTORY[πŸ•°οΈ Git Version History]
        IMMUTABLE[πŸ”’ Immutable Git Objects]
        LONG_TERM[πŸ“¦ Long-Term Preservation]
    end
    
    subgraph DISPOSAL["πŸ—‘οΈ Data Disposal"]
        RETENTION[⏰ Policy-Based Retention]
        AUTO_ARCHIVE[πŸ€– Automatic Archiving]
        NO_DELETION[❌ No Permanent Deletion<br/>Public record preservation]
    end
    
    EP_API --> MCP_FETCH
    MCP_FETCH --> API_RESPONSE
    API_RESPONSE --> PARSE
    PARSE --> TRANSFORM
    TRANSFORM --> LLM_GEN
    LLM_GEN --> TRANSLATE
    TRANSLATE --> GIT_COMMIT
    GIT_COMMIT --> REPO_STORE
    REPO_STORE --> PAGES_DEPLOY
    PAGES_DEPLOY --> HTML_SERVE
    HTML_SERVE --> CDN_CACHE
    CDN_CACHE --> PUBLIC_ACCESS
    
    REPO_STORE --> GIT_HISTORY
    GIT_HISTORY --> IMMUTABLE
    IMMUTABLE --> LONG_TERM
    
    PUBLIC_ACCESS --> RETENTION
    RETENTION --> AUTO_ARCHIVE
    AUTO_ARCHIVE --> NO_DELETION
    
    classDef creation fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
    classDef processing fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
    classDef storage fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
    classDef publication fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#ffffff
    classDef archiving fill:#1565C0,stroke:#0D47A1,stroke-width:2px,color:#ffffff
    classDef disposal fill:#9E9E9E,stroke:#616161,stroke-width:2px,color:#ffffff
    
    class EP_API,MCP_FETCH,API_RESPONSE creation
    class PARSE,TRANSFORM,LLM_GEN,TRANSLATE processing
    class GIT_COMMIT,REPO_STORE,PAGES_DEPLOY storage
    class HTML_SERVE,CDN_CACHE,PUBLIC_ACCESS publication
    class GIT_HISTORY,IMMUTABLE,LONG_TERM archiving
    class RETENTION,AUTO_ARCHIVE,NO_DELETION disposal

Lifecycle Stage Details

πŸ“₯ Stage 1: Data Creation/Collection

Duration: Daily (automated via GitHub Actions)
Classification Impact: Public data from inception
Controls:

  • βœ… TLS 1.2+ (TLS 1.3 where supported) for API communications
  • βœ… European Parliament MCP Server runs as a local stdio child process (no network exposure; explicit authentication planned for future remote deployment)
  • βœ… API rate limiting and error handling
  • βœ… Automated retry mechanisms

Data Volumes:

  • ~50-100 MEP records per execution
  • ~10-20 plenary sessions per month
  • ~5-10 committee meetings per day
  • JSON payloads: 10-50 KB per request

βš™οΈ Stage 2: Data Processing

Duration: 15-30 minutes per execution
Classification Impact: Public input β†’ Public output (no classification change)
Controls:

  • βœ… Input validation and sanitization
  • βœ… Content safety checks (no malicious content generation)
  • βœ… Translation quality validation
  • βœ… Git repository integrity via commit hashes (no automated commit signing)

Processing Steps:

  1. Parse EP API JSON responses
  2. Transform to structured news format
  3. LLM-powered content generation (news articles)
  4. Multi-language translation (14 languages)
  5. HTML template rendering

πŸ’Ύ Stage 3: Storage

Duration: Permanent (Git version control)
Classification Impact: Public storage with integrity controls
Controls:

  • βœ… Git version control (immutable history)
  • βœ… GitHub repository backup (distributed copies)
  • βœ… Git object integrity via commit hashes (no automated commit signing)
  • βœ… Branch protection rules

Storage Characteristics:

  • Location: GitHub cloud infrastructure
  • Redundancy: Git distributed architecture (multiple clones)
  • Backup: GitHub's infrastructure backups + Git clones
  • Retention: Indefinite (public record preservation)

πŸ“’ Stage 4: Publication

Duration: Real-time (CDN caching)
Classification Impact: Public access with availability controls
Controls:

  • βœ… AWS S3 + CloudFront HTTPS (TLS 1.2+, TLS 1.3 where supported)
  • βœ… Amazon CloudFront (AWS Shield Standard for DDoS protection)
  • βœ… Static site architecture (no server-side vulnerabilities)
  • βœ… No authentication required (public by design)

Availability:

  • SLA: AWS S3 (Standard) and Amazon CloudFront, each with 99.9% availability SLA
  • CDN: Global edge caching
  • RTO: 24 hours (manual workflow trigger)
  • RPO: 1 day (daily generation acceptable)

πŸ“š Stage 5: Archiving

Duration: Automatic (Git version history)
Classification Impact: Public historical record
Controls:

  • βœ… Immutable Git objects (Git object hashing, SHA-1 by default; SHA-256 if enabled)
  • βœ… Permanent version history
  • βœ… No content deletion (transparency principle)
  • βœ… Historical audit trail

Archive Characteristics:

  • All content changes tracked via Git commits
  • Complete historical record of all articles
  • Tamper-evident via Git cryptographic hashing
  • No retroactive content modification

πŸ—‘οΈ Stage 6: Data Disposal

Duration: N/A (no permanent deletion)
Classification Impact: Public record preservation
Policy:

  • ❌ No permanent deletion of published content
  • βœ… Content remains in Git history indefinitely
  • βœ… Transparency principle: public record preservation
  • βœ… Compliance: EU transparency regulations

Rationale for No Deletion:

  • Democratic transparency requires historical preservation
  • Public officials' parliamentary activities are permanent public record
  • Git architecture supports immutable history
  • DSR rights to erasure are subject to applicable exemptions (public record, freedom of expression, journalistic/archival purpose)

πŸ›‘οΈ Information Handling Matrix

Classification-Based Handling Procedures

The following matrix defines specific handling procedures for each classification level across all data operations:

Handling ProcedureπŸ”΄ Restricted🟠 Confidential🟑 Internal🟒 PublicEU Parliament Monitor
πŸ’Ύ StorageHSM, encrypted vaults, air-gappedAES-256 encryption, encrypted databasesAccess-controlled storage, basic encryptionStandard storage, version controlβœ… Git (public), GitHub (cloud)
πŸ“‘ TransmissionQuantum-safe, VPN + TLS 1.3TLS 1.3, certificate pinningTLS 1.2+, standard HTTPSTLS 1.2+ (prefer 1.3)βœ… TLS 1.2+, TLS 1.3 where supported (CloudFront CDN, EP API)
🀝 SharingNeed-to-know, zero-trust, MFARole-based, MFA, audit loggingAuthenticated access, loggingPublic access, no restrictionsβœ… Public AWS S3 + CloudFront, no auth
πŸ—‘οΈ DisposalCryptographic erasure, physical destruction, witnessedMulti-pass overwrite (DoD 5220.22-M), secure deletionStandard deletion, recycle bin clearingStandard deletion or retentionβœ… Git history preservation (no deletion)
πŸ” Access ControlBiometric + MFA, zero-trustRBAC + MFA, privileged access managementUsername/password + RBACNo access control requiredβœ… No access control (public by design)
πŸ”’ EncryptionAES-256 + HSM, quantum-resistantAES-256, key rotation, KMSAES-128/256, managed keysTLS in transit onlyβœ… TLS 1.2+, TLS 1.3 where supported (CloudFront)
πŸ“‹ Labeling"RESTRICTED - AUTHORIZED ONLY""CONFIDENTIAL - INTERNAL USE""INTERNAL - STAFF ONLY""PUBLIC" or no labelβœ… PUBLIC (implied, no labels needed)
πŸ“Š LoggingImmutable audit logs, SIEM, real-time alertingComprehensive logging, SIEM integrationStandard logging, periodic reviewBasic logging or noneβœ… Git commits (immutable), GitHub audit
πŸ”„ BackupAir-gapped, encrypted, off-site vaultsEncrypted backups, off-site replicationStandard backups, encryptionGit version control, cloud backupsβœ… Git (distributed), GitHub backups
πŸ“± Mobile DevicesProhibited or heavily restrictedMDM, encryption, remote wipeMDM, basic encryptionNo restrictionsβœ… Public access from any device
☁️ Cloud StorageProhibited or private cloud onlyEncrypted, dedicated tenantsEncrypted, shared cloudPublic cloud, standard controlsβœ… AWS S3 (public cloud), CloudFront (CDN)
πŸ–¨οΈ PrintingProhibited or secure printers onlyWatermarked, secure disposalStandard printers, secure disposalUnrestrictedβœ… N/A (web-only content)

EU Parliament Monitor Handling Summary

🟒 Public Classification Handling:

βœ… Storage:

  • Public GitHub repository (no encryption required)
  • Git version control for integrity
  • Distributed architecture (multiple clones)

βœ… Transmission:

  • TLS 1.2+, TLS 1.3 where supported (Amazon CloudFront)
  • European Parliament API calls over HTTPS
  • No VPN or additional encryption needed

βœ… Sharing:

  • Public AWS S3 + CloudFront (open access)
  • No authentication, authorization, or access control
  • Maximum transparency and accessibility

βœ… Disposal:

  • No permanent deletion (public record preservation)
  • Git history maintained indefinitely
  • Compliance with transparency principles

βœ… Access Control:

  • None required (public by design)
  • No user accounts or login
  • Open source codebase

βœ… Encryption:

  • TLS 1.2+, TLS 1.3 where supported (in transit only)
  • No encryption at rest required (public data)
  • Amazon CloudFront HTTPS enforced

βœ… Logging:

  • Git commit history (immutable)
  • GitHub Actions workflow logs
  • No PII logging (no user data)

βœ… Backup:

  • Git distributed architecture (natural backups)
  • GitHub infrastructure backups
  • Multiple repository clones

πŸ“œ ISMS Policy Alignment

Framework Compliance Mapping

EU Parliament Monitor's classification framework aligns with multiple international standards and best practices:

πŸ” ISO 27001:2022 Alignment

ISO 27001 ControlControl NameEU Parliament Monitor ImplementationCompliance Status
A.5.12Classification of informationβœ… Documented classification framework (this document)βœ… COMPLIANT
A.5.13Labelling of informationβœ… Badges and metadata in all documentsβœ… COMPLIANT
A.5.14Information transferβœ… TLS 1.2+, TLS 1.3 where supported for all transmissions, EP API over HTTPSβœ… COMPLIANT
A.8.10Information deletionβœ… Git history preservation policy (no deletion)βœ… COMPLIANT
A.8.11Data maskingβšͺ N/A (no sensitive data)βšͺ N/A
A.8.12Data leakage preventionβšͺ N/A (public data by design)βšͺ N/A
A.5.10Acceptable use of informationβœ… Public domain, open source licensingβœ… COMPLIANT

πŸ›‘οΈ NIST Cybersecurity Framework 2.0 Alignment

NIST CSF 2.0 CategoryFunctionEU Parliament Monitor ImplementationMaturity Level
ID.AM-5Classify dataβœ… Complete classification framework (Public/Medium/Medium)🟒 Level 4 - Adaptive
PR.DS-1Protect data at restβœ… Git version control, GitHub backups🟒 Level 3 - Informed
PR.DS-2Protect data in transitβœ… TLS 1.2+, TLS 1.3 where supported (CloudFront CDN, S3, EP API)🟒 Level 4 - Adaptive
PR.DS-5Protections against data leaksβšͺ N/A (public data, no leaks possible)βšͺ N/A
PR.DS-6Integrity checkingβœ… Git cryptographic hashing (SHA-1 by default), commit hash verification🟒 Level 3 - Informed
PR.DS-7Separate dev/test/prodβœ… GitHub Actions environments, branch protection🟒 Level 3 - Informed
PR.DS-8Integrity verificationβœ… Automated testing (82% coverage), Git object hashing🟒 Level 3 - Informed

NIST CSF 2.0 Maturity Levels:

  • πŸ”΄ Level 1 - Partial: Ad hoc, reactive
  • 🟠 Level 2 - Risk-Informed: Aware but not systematic
  • 🟑 Level 3 - Repeatable: Documented and followed
  • 🟒 Level 4 - Adaptive: Continuous improvement

⚑ CIS Controls v8.1 Alignment

CIS ControlControl NameEU Parliament Monitor ImplementationImplementation Status
3.3Configure data access control listsβšͺ N/A (public access, no ACLs)βšͺ N/A
3.6Encrypt data on end-user devicesβšͺ N/A (static web content, no user devices)βšͺ N/A
3.11Encrypt sensitive data at restβšͺ N/A (public data, no encryption required)βšͺ N/A
3.12Segment data processingβœ… GitHub Actions isolation, ephemeral runnersβœ… IMPLEMENTED
3.14Log sensitive data accessβœ… Git commit logs, GitHub audit logsβœ… IMPLEMENTED
11.4Maintain isolated backupsβœ… Git distributed architecture, GitHub backupsβœ… IMPLEMENTED
11.5Test data recoveryβœ… Manual workflow trigger tested, Git clone recoveryβœ… IMPLEMENTED

πŸ‡ͺπŸ‡Ί GDPR Compliance

GDPR ArticleRequirementEU Parliament Monitor ImplementationCompliance Status
Art. 5(1)(a)Lawfulness, fairness, transparencyβœ… Public data, open source, maximum transparencyβœ… COMPLIANT
Art. 5(1)(b)Purpose limitationβœ… Democratic transparency only, defined purposeβœ… COMPLIANT
Art. 5(1)(c)Data minimizationβœ… European Parliament open data about public functions only; strict data minimization; no special categoriesβœ… COMPLIANT
Art. 5(1)(d)Accuracyβœ… Git version control, automated testing, integrity focusβœ… COMPLIANT
Art. 5(1)(e)Storage limitationβœ… Indefinite retention justified (public record preservation)βœ… COMPLIANT
Art. 5(1)(f)Integrity and confidentialityβœ… TLS 1.2+, Git integrity, GitHub securityβœ… COMPLIANT
Art. 25Data protection by designβœ… Architecture limited to EP open data; no behavioural tracking or unnecessary identifiersβœ… COMPLIANT
Art. 32Security of processingβœ… TLS 1.2+, Git integrity, GitHub Actions securityβœ… COMPLIANT

GDPR Summary:

  • βœ… Public-source institutional data only - Processes European Parliament open data about elected representatives and institutional activities; no special categories or behavioural profiling
  • βœ… MEP data is personal data of public officials - Processed under GDPR on the basis of legitimate/public interest with appropriate safeguards and transparency
  • βœ… Data subject rights supported - DSRs (access, rectification, objection, etc.) are handled case-by-case, subject to applicable legal exemptions (e.g. freedom of expression and information, public interest, archival/record-keeping)
  • βœ… No cookies, tracking, or analytics - Privacy by design
  • βœ… Transparency by default - Open source, public repository, public content

πŸ›οΈ EU Cyber Resilience Act (CRA) Alignment

CRA RequirementEU Parliament Monitor ImplementationCompliance Status
Security by designβœ… Static architecture, no server-side execution, public dataβœ… COMPLIANT
Vulnerability handlingβœ… Dependabot, SonarCloud SAST, GitHub security advisoriesβœ… COMPLIANT
Security updatesβœ… Automated dependency updates, GitHub Actions CI/CDβœ… COMPLIANT
Incident reportingβœ… GitHub security advisories, public issue trackingβœ… COMPLIANT
Documentationβœ… Complete security architecture documentationβœ… COMPLIANT

πŸ‡ͺπŸ‡Ί NIS2 Directive Alignment

NIS2 RequirementEU Parliament Monitor ImplementationCompliance Status
Art. 21 β€” Security measuresβœ… Static architecture, TLS 1.2+ (TLS 1.3 where supported), GitHub security controlsβœ… COMPLIANT
Art. 21(2)(a) β€” Incident handlingβœ… GitHub Actions alerting, manual recovery proceduresβœ… COMPLIANT
Art. 21(2)(b) β€” Business continuityβœ… BCP documented, RTO 24h, RPO 1 day, static resilienceβœ… COMPLIANT
Art. 21(2)(e) β€” Supply chain securityβœ… SHA-pinned GitHub Actions, Dependabot, SBOM generationβœ… COMPLIANT
Art. 21(2)(i) β€” Vulnerability disclosureβœ… GitHub security advisories, SECURITY.md, public issue trackingβœ… COMPLIANT
Art. 23 β€” Incident reportingβœ… GitHub security advisories, transparent public reportingβœ… COMPLIANT

Compliance Summary

FrameworkOverall ComplianceKey StrengthsAreas for Improvement
ISO 27001:2022βœ… Fully CompliantClassification framework, TLS 1.2+, Git integrityContent validation automation (Q3 2026)
NIST CSF 2.0🟒 Level 3-4 MaturityData protection, integrity verification, separationReal-time monitoring (future phase)
CIS Controls v8.1βœ… ImplementedBackup testing, logging, data segmentationN/A (public data simplifies many controls)
GDPRβœ… Fully CompliantPublic-source institutional data, minimization, transparency, DSR support with applicable exemptionsN/A (no special categories or behavioural profiling)
NIS2βœ… CompliantSecurity measures, BCP, supply chain, vulnerability disclosureN/A (minimal attack surface simplifies many obligations)
EU CRAβœ… CompliantSecurity by design, vulnerability managementContinuous improvement

DocumentPurposeLink
🏷️ Classification FrameworkThis documentCurrent document
🎯 Threat ModelRisk and threat analysisTHREAT_MODEL.md
πŸ” Security ArchitectureCurrent security controlsSECURITY_ARCHITECTURE.md
πŸš€ Future Security ArchitectureSecurity roadmapFUTURE_SECURITY_ARCHITECTURE.md
πŸ“Š Data ModelData structuresDATA_MODEL.md
πŸ“ˆ FlowchartProcess flowsFLOWCHART.md
πŸ“ ArchitectureSystem designARCHITECTURE.md
πŸ›‘οΈ ISMS Classification PolicyFramework referenceHack23 ISMS

πŸ”„ Data Handling Procedures Flowchart

Complete Information Lifecycle Workflow

The following flowchart illustrates the complete data handling lifecycle for EU Parliament Monitor, from data receipt to archiving or disposal:

%%{
  init: {
    'theme': 'base',
    'themeVariables': {
      'primaryColor': '#1565C0',
      'primaryTextColor': '#0D47A1',
      'lineColor': '#1565C0',
      'secondaryColor': '#4CAF50',
      'tertiaryColor': '#FF9800'
    }
  }
}%%
flowchart TB
    START[πŸ“₯ RECEIVE<br/>European Parliament Data] --> CLASSIFY[🏷️ CLASSIFY<br/>Determine Classification Level]
    
    CLASSIFY --> CLASSIFY_DECISION{Classification?}
    
    CLASSIFY_DECISION -->|Public| LABEL_PUBLIC[🟒 LABEL<br/>Public Data Badge]
    CLASSIFY_DECISION -->|Internal| LABEL_INTERNAL[🟑 LABEL<br/>Internal Badge<br/>N/A for EP Monitor]
    CLASSIFY_DECISION -->|Confidential| LABEL_CONF[🟠 LABEL<br/>Confidential Badge<br/>N/A for EP Monitor]
    CLASSIFY_DECISION -->|Restricted| LABEL_REST[πŸ”΄ LABEL<br/>Restricted Badge<br/>N/A for EP Monitor]
    
    LABEL_PUBLIC --> HANDLE_PUBLIC[🀝 HANDLE<br/>Public Handling Procedures]
    LABEL_INTERNAL --> HANDLE_INTERNAL[πŸ” HANDLE<br/>Access Control Required]
    LABEL_CONF --> HANDLE_CONF[πŸ”’ HANDLE<br/>Encryption + RBAC Required]
    LABEL_REST --> HANDLE_REST[πŸ›‘οΈ HANDLE<br/>Maximum Protection Required]
    
    HANDLE_PUBLIC --> PROCESS[βš™οΈ PROCESS<br/>LLM Content Generation<br/>14-Language Translation]
    HANDLE_INTERNAL --> PROCESS
    HANDLE_CONF --> PROCESS
    HANDLE_REST --> PROCESS
    
    PROCESS --> STORE[πŸ’Ύ STORE<br/>Git Version Control<br/>GitHub Repository]
    
    STORE --> DEPLOY[πŸš€ DEPLOY<br/>AWS S3<br/>CloudFront CDN]
    
    DEPLOY --> MONITOR[πŸ“Š MONITOR<br/>Access Logs<br/>Git Commit History]
    
    MONITOR --> REVIEW[πŸ” REVIEW<br/>Quarterly Classification Review<br/>Security Assessment]
    
    REVIEW --> REVIEW_DECISION{Review Result?}
    
    REVIEW_DECISION -->|Reclassify| CLASSIFY
    REVIEW_DECISION -->|Maintain| CONTINUE[βœ… CONTINUE<br/>Maintain Current Classification]
    REVIEW_DECISION -->|Archive| ARCHIVE[πŸ“š ARCHIVE<br/>Git History Preservation<br/>Immutable Records]
    REVIEW_DECISION -->|Dispose| DISPOSE[πŸ—‘οΈ DISPOSE<br/>No Deletion for Public Data<br/>Transparency Principle]
    
    CONTINUE --> MONITOR
    ARCHIVE --> LONG_TERM[πŸ•°οΈ LONG-TERM STORAGE<br/>Permanent Git History]
    DISPOSE --> PRESERVE[πŸ›οΈ PRESERVE<br/>Public Record Retention<br/>Democratic Transparency]
    
    classDef start fill:#2196F3,stroke:#1565C0,stroke-width:2px,color:#ffffff
    classDef classify fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
    classDef label fill:#FFC107,stroke:#FFA000,stroke-width:2px,color:#000000
    classDef handle fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
    classDef process fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#ffffff
    classDef store fill:#1565C0,stroke:#0D47A1,stroke-width:2px,color:#ffffff
    classDef decision fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
    classDef archive fill:#8D6E63,stroke:#5D4037,stroke-width:2px,color:#ffffff
    classDef critical fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#ffffff
    classDef success fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
    
    class START start
    class CLASSIFY,REVIEW classify
    class CLASSIFY_DECISION,REVIEW_DECISION decision
    class LABEL_PUBLIC,LABEL_INTERNAL,LABEL_CONF,LABEL_REST label
    class HANDLE_PUBLIC,HANDLE_INTERNAL,HANDLE_CONF,HANDLE_REST handle
    class PROCESS,DEPLOY,MONITOR process
    class STORE store
    class ARCHIVE,LONG_TERM,PRESERVE archive
    class DISPOSE,CONTINUE success

Handling Procedure Details by Stage

πŸ“₯ Stage 1: RECEIVE

Duration: Continuous (daily automated execution)
Responsibility: GitHub Actions workflow, European Parliament MCP Server
Actions:

  • Fetch data from European Parliament Open Data API
  • Validate API responses (schema validation)
  • Log data receipt in Git commit metadata

🏷️ Stage 2: CLASSIFY

Duration: Automated (classification rules applied)
Responsibility: Security Architect (policy), automated systems (execution)
Classification Criteria:

  • βœ… Data source: European Parliament Open Data (Public by default)
  • βœ… Content type: Parliamentary proceedings, MEP information (Public)
  • βœ… Accuracy requirements: Democratic transparency (Medium Integrity)
  • βœ… Availability needs: Daily updates (Medium Availability)

Classification Result: 🟒 Public / 🟑 Medium Integrity / 🟑 Medium Availability

🏷️ Stage 3: LABEL

Duration: Automatic (badge generation)
Responsibility: Documentation templates, markdown badges
Labeling Methods:

  • GitHub shields.io badges in documentation
  • Classification metadata in file headers
  • Git commit messages with classification context

EU Parliament Monitor Labeling:

  • βœ… Public badge: [![Public](https://img.shields.io/badge/Confidentiality-Public-lightgrey)]
  • βœ… Medium Integrity: [![Moderate](https://img.shields.io/badge/Integrity-Moderate-yellow)]
  • βœ… Medium Availability: [![Moderate](https://img.shields.io/badge/Availability-Moderate-yellow)]

🀝 Stage 4: HANDLE

Duration: Throughout data lifecycle
Responsibility: Automated systems, security controls
Public Data Handling:

  • βœ… TLS 1.2+, TLS 1.3 where supported (TLS 1.3 preferred) for all transmissions
  • βœ… No access control required (public by design)
  • βœ… Git version control for integrity
  • βœ… No encryption at rest (public data)
  • βœ… Standard GitHub Actions security

βš™οΈ Stage 5: PROCESS

Duration: 15-30 minutes per execution
Responsibility: LLM content generation, translation services
Processing Steps:

  1. Parse European Parliament data
  2. Generate news articles (LLM-powered)
  3. Translate to 14 languages
  4. Render HTML templates
  5. Validate output quality

πŸ’Ύ Stage 6: STORE

Duration: Permanent (Git version control)
Responsibility: Git, GitHub repository
Storage Controls:

  • βœ… Git cryptographic hashing (integrity)
  • βœ… Distributed architecture (redundancy)
  • βœ… Git object integrity via commit hashes (no automated commit signing)
  • βœ… Branch protection (change control)

πŸš€ Stage 7: DEPLOY

Duration: Minutes (AWS S3 + CloudFront deployment)
Responsibility: GitHub Actions, AWS S3, Amazon CloudFront
Deployment Controls:

  • βœ… Automated deployment pipeline
  • βœ… TLS 1.2+, TLS 1.3 where supported (HTTPS only)
  • βœ… CDN caching (availability)
  • βœ… No authentication (public access)

πŸ“Š Stage 8: MONITOR

Duration: Continuous
Responsibility: GitHub Actions, Git logs, AWS CloudFront, AWS S3, AWS CloudTrail
Monitoring Methods:

  • βœ… Git commit history (all changes tracked)
  • βœ… GitHub Actions workflow logs
  • βœ… AWS CloudFront access logs / real-time logs
  • βœ… AWS S3 server access logs / CloudTrail S3 data events
  • βœ… Dependabot security alerts

πŸ” Stage 9: REVIEW

Duration: Quarterly (every 3 months)
Responsibility: Security Architect, CEO approval
Review Triggers:

  • Scheduled: Quarterly reviews (every 3 months)
  • Event-driven: Major feature changes, security incidents
  • Compliance: Regulatory requirement updates (GDPR, NIS2, EU CRA)

Review Outcomes:

  • Reclassify: Change classification level (return to Stage 2)
  • Maintain: Continue with current classification (return to Stage 8)
  • Archive: Move to long-term preservation (Stage 10)
  • Dispose: Evaluate for deletion (Stage 11 - N/A for EP Monitor)

πŸ“š Stage 10: ARCHIVE

Duration: Permanent
Responsibility: Git version history, GitHub repository
Archiving Method:

  • βœ… Immutable Git history (Git object hashing, SHA-1 by default; SHA-256 if enabled)
  • βœ… No retroactive content modification
  • βœ… Complete audit trail preservation
  • βœ… Compliance with transparency principles

πŸ—‘οΈ Stage 11: DISPOSE

Duration: N/A (no permanent deletion)
Responsibility: Security Architect policy decision
EU Parliament Monitor Policy:

  • ❌ No permanent deletion of public content
  • βœ… Transparency principle: public record preservation
  • βœ… Democratic accountability: historical record maintained
  • βœ… Git architecture: immutable history by design

πŸ“ Classification Decision Log

Version 1.0 (2026-02-17)

Initial Classification Decisions:

  1. Confidentiality = Public (Level 1)

    • Rationale: European Parliament open data, public by design
    • Decision maker: Security Architect
    • Review date: 2026-05-17
  2. Integrity = Medium (Level 2)

    • Rationale: News accuracy critical for democratic transparency
    • Decision maker: Security Architect
    • Review date: 2026-05-17
    • Enhancement plan: Automated fact-checking (Q4 2026)
  3. Availability = Medium (Level 2)

    • Rationale: Daily updates expected, 24h outage acceptable
    • Decision maker: Security Architect
    • Review date: 2026-05-17
  4. RTO = 24 hours

    • Rationale: Manual trigger available, not mission-critical
    • Decision maker: Security Architect
    • Review date: 2026-05-17
  5. RPO = 1 day

    • Rationale: Daily generation schedule, regenerable content
    • Decision maker: Security Architect
    • Review date: 2026-05-17
  6. Privacy = Personal (public-source)

    • Rationale: Publicly available MEP personal data from EP open data; GDPR applies with reduced risk due to public-official context; no special categories; DSRs handled with applicable exemptions
    • Decision maker: Security Architect & Legal
    • Review date: 2026-05-17

πŸ”„ Review and Maintenance

Review Schedule

  • Quarterly Reviews: Every 3 months
  • Next Review: 2026-05-17
  • Triggered Reviews: Upon architecture changes, incidents, or threat landscape shifts

Review Triggers

  • Major feature additions (e.g., user authentication, API)
  • Security incidents affecting classification
  • Regulatory requirement changes (GDPR, NIS2, EU CRA)
  • Business model changes (e.g., premium features)
  • Threat landscape evolution

Ownership


πŸ“Š Classification-Driven Control Matrix

Security Controls by Classification Level

Classification LevelRequired ControlsEU Parliament Monitor Implementation
Confidentiality: PublicTLS for transit, public accessβœ… AWS S3 + CloudFront HTTPS, open repository
Integrity: MediumVersion control, code review, testingβœ… Git, PR workflow, 82% test coverage
Availability: MediumMonitoring, manual recovery, CDNβœ… GitHub Actions monitoring, AWS S3 + CloudFront CDN
RTO: 24 hoursAutomated recovery, manual backupβœ… Workflow retry, manual trigger
RPO: 1 dayDaily backups, version controlβœ… Git commits, GitHub repository
Privacy: Personal (public-source)GDPR compliance, minimization, DSR handlingβœ… Public-source MEP data only, no special categories, DSRs handled with applicable exemptions

πŸ“Š ISO 27001:2022 Classification Framework Alignment

This classification scheme aligns with ISO 27001:2022 Annex A information classification controls:

ISO 27001:2022 ControlClassification RequirementEU Parliament Monitor ImplementationStatus
5.12 Classification of informationDefine classification levelsC (Public/Internal/Confidential/Restricted) schemeβœ…
5.13 Labelling of informationApply labels to assetsClassification badges in all ISMS documentsβœ…
5.14 Information transferClassification-based transfer rulesHTTPS-only, TLS 1.3 for all transfersβœ…
5.9 Inventory of information and other assetsAsset register with classificationsSBOM (technical assets) + documentation inventoryβœ…
8.12 Data leakage preventionPrevent unauthorized disclosureNo PII collected, public data onlyβœ…
5.33 Protection of recordsRecords retention and protectionGit immutable history, GitHub repositoryβœ…

ISO 27001:2022 Classification Compliance: βœ… All 6 applicable controls implemented


🎯 NIST CSF 2.0 Governance & Identification Alignment

SubcategoryDescriptionClassification AlignmentStatus
GV.RM-01Risk management objectives establishedPublic C, Moderate I, Standard A drives risk appetiteβœ…
GV.RM-02Risk appetite established and communicatedClassification CLASSIFICATION.md public documentationβœ…
ID.AM-05Resources prioritized by sensitivityPublic-only data = lowest priority tierβœ…
ID.AM-07Inventories of data managedNo PII inventory needed (public data only)βœ…
ID.RA-02Threat intelligence received and analyzedTHREAT_MODEL.md cross-referenced with classificationβœ…
PR.DS-01Data at rest protected per classificationPublic data β€” Git repository integrityβœ…
PR.DS-02Data in transit protected per classificationTLS 1.3 HTTPS consistent with all classification levelsβœ…

πŸ›‘οΈ CIS Controls v8.1 Data Protection Alignment

CIS ControlSafeguardClassification-Based ImplementationIG LevelStatus
3.1Establish data management processPublic data classification = minimal handling requirementsIG1βœ…
3.2Establish data inventorySBOM + documentation inventoryIG1βœ…
3.3Configure data access controlPublic = no access controls; workflow access = least privilegeIG1βœ…
3.7Establish data classification schemeConfidentiality (C), Integrity (I), Availability (A) triadIG2βœ…
3.12Segment data processingEP data processing isolated in GitHub Actions (ephemeral)IG2βœ…

πŸ”— Hack23 ISMS-PUBLIC Policy Alignment

ISMS-PUBLIC PolicyClassification RelevanceAlignment Evidence
πŸ“‹ Information Security PolicyOverall security governance frameworkPublic classification consistent with open-source mandate
🏷️ Classification PolicyClassification scheme definitionCIA triad ratings derived from this policy
πŸ”‘ Access Control PolicyAccess decisions based on classificationPublic content = no authentication; workflow = least privilege
πŸ”’ Cryptography PolicyEncryption requirements by classificationTLS 1.3 minimum consistent with public data classification
πŸ“Š Risk Assessment MethodologyRisk scoring tied to classificationRTO/RPO derived from Availability classification
🌐 ISMS Transparency PlanPublic disclosure aligned with C=PublicAll ISMS docs public per transparency commitment
πŸ“ Open Source PolicyOpen source classification requirementsApache-2.0 license, public repository, open data
πŸ€– AI PolicyAI-generated content classificationNews content generated by AI scripts = public classification maintained

Classification Status: βœ… COMPLETE
Threat Modeling Status: Ready to proceed (THREAT_MODEL.md)
ISMS Compliance: βœ… Aligned with Hack23 ISMS Classification Framework


This classification framework serves as the foundation for threat modeling, risk assessment, and security control selection. All security decisions must align with these classification levels.

β€” EU Parliament Monitor Security Team