Properly classifying and labeling information assets is fundamental to a successful information security program, yet many organizations fail to implement one. Without proper asset classification, the organization exposes itself to additional risk of data breaches, accidental loss/release of sensitive information, losses in efficiency or additional costs associated with securing data that may not require it (hardware-based encryption doesn’t come cheap!).
It is the responsibility of the Chief Information Officer, Chief Security Officer or similar leadership to implement a strategy that provides for information assurance within the organization. A robust Data Classification Policy lies at the foundation of that strategy.
What is a Data Classification Policy?
A Data Classification Policy is a standard for labeling information assets within an organization. You may encounter a Data Classification Policy as either a standalone document or a section within the corporate Information Security policy.
Contrary to what the name suggests, an organization should not limit the policy to data alone, though most do. The Data Classification Policy should also encompass any hardware used to process data and media used to store it.
Define Sensitive Data relative to your Organization
Sensitive data is generally defined as any data that is not public, but the nature of what information an organization is coming in contact with or is developing will vary depending on the nature of the organization, the market it operates in, and the laws and regulations the organization must comply with based on industry.
Common types of sensitive data include:
- Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity. Most US States and the EU Data Protection directive require PII to be secured and individuals be notified in the event of a breach by law.
- Personal Health Information (PHI): Health related information related to a specific person. In the United States, the HIPAA/HITECH legislation, and in the European Union, the EU Data Protection Directive mandates the protection of PHI and require victims be notified of breaches by law.
- Personal Finance Information & Payment Card Information: In the United States, the Gramm-Leach-Bliley Act restricts sharing of this information between organizations by law. The Payment Card Industry Data Security Standard (PCI DSS) also requires compliance with industry standards, though these are not mandated by federal law.
- Proprietary Information and Trade Secrets: Any data that allows an organization to maintain its competitive edge.
An organization will typically sub-categorize data into general categories such as Confidential/Proprietary, Private, Sensitive, and Public. Each of these classifications will serve as a label that is to be applied to each piece or groupings of information within the organization.
|Confidential/Proprietary:||The highest level of sensitivity. A data breach would greatly impair the operations of an organization or cause irreparable damage.||Trade secrets|
Application Source Code
|Private:||Information that should stay within the confines of the organization and may result in serious legal or contractual issues.||Human Resources Information|
PHI, PCI and highly sensitive PII data
|Sensitive:||Information that is confidential in nature but that the loss will not greatly impair the operations or mission of the organization.||Corporate Email|
Pre-Release Marketing Documents
|Public:||Any information publicly available via an organization brochure, website, or other publicly available sources.||White papers|
Begin the Classification of Data
Undertaking the process of classifying data may be a reiterative process. Begin by consulting key stakeholders from various divisions within the enterprise. This should include general counsel, compliance managers, IT and Info Sec management, Human Resources, Marketing, Finance, R&D and pretty much any other department within the organization that touches or produces information valuable to the organization.
TIP: Don’t forget hardware and physical media! Work with the appropriate division of IT to include these assets during the classification process.
Ask each stakeholder to document and categorize all information that their department both creates and comes in contact with. Internal audit, compliance management or outside consultants should aid stakeholders to in understanding and interpreting categorizations.
Implementing the Data Classification Scheme and Controlling Data
The final step may be the most difficult with the least clear path to success. With all information and assets clearly classified, begin the process of applying controls to secure that data in alignment with the Data Classification Policy.
Consider including the following strategies when implementing your Data Classification Scheme:
- Adopt a best-practice IT management framework such as COBIT, ISO 27000 or ITIL.
- Rely heavily on the guidance of applicable regulatory and compliance requirements, as your organization is legally or contractually obligated to comply.
- Attempt to silo different classes of data into their own networks (e.g. VLANS), or drive space (e.g. individual drives, systems or directories dedicated to one type of data) to simplify the application of controls to individual networks, systems and directories instead of attempting to control objects or data directly.
Please share your experiences, tips and remarks in the comments below.