A Data Classification Program is an extremely important first step to building a secure organization.
Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations).
For example, data might be classified as: public, internal, confidential (or highly confidential), restricted, regulatory, or top secret.
Data and information assets are classified respective of the risk of unauthorized disclosure (e.g., lost or stolen inadvertently or nefariously). High risk data, typically classified “Confidential”, requires a greater level of protection, while lower risk data, possibly labeled “internal” requires proportionately less protection.
Large data stores, such as databases, tables, or files carry an increased risk, since a single event could result in a large data breach. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements.
Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
An example of a Data Classification System:
Public - Information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to disclosure rules, is available to all employees and all individuals or entities external to the corporation. Examples include:
- Publicly posted press release
- Publicly available marketing materials
- Publicly posted job announcements
Internal - Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel who have a legitimate reason to access it. Examples include:
- General employment data (e.g., excluded SSN, salary)
- Business partner information where no more restrictive confidentiality agreement exist
Confidential - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. Confidential data have a very high level of sensitivity. Examples include:
- Payment Card Industry (PCI)
- Sarbanes–Oxley Act (SOX)
- Privacy ce
Regulatory Data Classification - Information that’s protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Regulatory Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a need-to-know basis. Examples include:
- Must be protected to prevent loss, theft, unauthorized access, and / or unauthorized disclosure as dictated by the regulating body or council
- Must be destroyed when no longer needed. Destruction must be per the body or council data policies
- Will require specific methodologies, procedures and reporting requirements for the response and handling of incidents
A company should adopt a common set of terms and relationships between those terms in order to clearly communicate and begin to classify data types. By classifying data, the company can prepare generally to identify the risk and impact of an incident based upon what type of data is involved.
The classifications as listed (public, internal, confidential) give a basis for determining the impact based upon the level and type of access to data. Together, data classification and level of access drive the business impact which will determine the response, escalation and notifications of incidents.
An incident Response Team (IR) ca be comprised of industry experts with experience in Military Intelligence, Law Enforcement, and Big X Consulting. They can help to manage and facilitate the response and readiness capabilities of an organization, identifies and develops business impact and planning, and becomes an essential keystone within the enterprise to ensure the security program matures.
(click image to enlarge)
The left side of the table contains types of events and potential access to the types of data as defined at the bottom; together, this defines the impact. The impact of an incident or potential data loss drives the notification and escalation of who to call, when, why, and how as described below:
(click image to enlarge)
When it comes to a Data Classification System, one size does not fit all. Classifying data not only makes good sense, but it defines data protection requirements, specific to data sensitivity.
Once you know which data needs the most protection, you can properly allocate funds and resources to defend those assets. Employing a proper data classification scheme is cost effective, as it allows a business to focus on protecting its higher risk data assets.
For an example, businesses that do not have a data classification system treat all data as highly confidential; however, in reality they often apply the wrong controls to protect the data.
So employees may shred public information but recycle confidential information because they do not have clear guidance on what to do.
Cross-posted from SecureState