Developing & Implementing a Data Classification Policy

Properly classifying and labeling information assets is fundamental to a successful information security program, yet many organizations fail to implement one. Without proper asset classification, the organization exposes itself to additional risk of data breaches, accidental loss/release of sensitive information, losses in efficiency or additional costs associated with securing data that may not require it (hardware-based encryption doesn’t come cheap!).

It is the responsibility of the Chief Information Officer, Chief Security Officer or similar leadership to implement a strategy that provides for information assurance within the organization. A robust Data Classification Policy lies at the foundation of that strategy.

What is a Data Classification Policy?

A Data Classification Policy is a standard for labeling information assets within an organization. You may encounter a Data Classification Policy as either a standalone document or a section within the corporate Information Security policy.

Contrary to what the name suggests, an organization should not limit the policy to data alone, though most do. The Data Classification Policy should also encompass any hardware used to process data and media used to store it.

Define Sensitive Data relative to your Organization

Sensitive data is generally defined as any data that is not public, but the nature of what information an organization is coming in contact with or is developing will vary depending on the nature of the organization, the market it operates in, and the laws and regulations the organization must comply with based on industry.

Common types of sensitive data include:

  • Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity. Most US States and the EU Data Protection directive require PII to be secured and individuals be notified in the event of a breach by law.
  • Personal Health Information (PHI): Health related information related to a specific person. In the United States, the HIPAA/HITECH legislation, and in the European Union, the EU Data Protection Directive mandates the protection of PHI and require victims be notified of breaches by law.
  • Personal Finance Information & Payment Card Information: In the United States, the Gramm-Leach-Bliley Act restricts sharing of this information between organizations by law. The Payment Card Industry Data Security Standard (PCI DSS) also requires compliance with industry standards, though these are not mandated by federal law.
  • Proprietary Information and Trade Secrets: Any data that allows an organization to maintain its competitive edge.

Define Classifications/Labels

An organization will typically sub-categorize data into general categories such as Confidential/Proprietary, Private, Sensitive, and Public. Each of these classifications will serve as a label that is to be applied to each piece or groupings of information within the organization.

Confidential/Proprietary:The highest level of sensitivity. A data breach would greatly impair the operations of an organization or cause irreparable damage.Trade secrets
Application Source Code
Proprietary Algorithms
Secret Recipes
Private:Information that should stay within the confines of the organization and may result in serious legal or contractual issues.Human Resources Information
PHI, PCI and highly sensitive PII data
Salary Information
Corporate Strategies
Sensitive:Information that is confidential in nature but that the loss will not greatly impair the operations or mission of the organization.Corporate Email
Internal Memos
Pre-Release Marketing Documents
Meeting Minutes
Public:Any information publicly available via an organization brochure, website, or other publicly available sources.White papers
Corporate Website
Press Releases

Begin the Classification of Data

Undertaking the process of classifying data may be a reiterative process. Begin by consulting key stakeholders from various divisions within the enterprise. This should include general counsel, compliance managers, IT and Info Sec management, Human Resources, Marketing, Finance, R&D and pretty much any other department within the organization that touches or produces information valuable to the organization.

TIP: Don’t forget hardware and physical media! Work with the appropriate division of IT to include these assets during the classification process.

Ask each stakeholder to document and categorize all information that their department both creates and comes in contact with. Internal audit, compliance management or outside consultants should aid stakeholders to in understanding and interpreting categorizations.

Implementing the Data Classification Scheme and Controlling Data

The final step may be the most difficult with the least clear path to success. With all information and assets clearly classified, begin the process of applying controls to secure that data in alignment with the Data Classification Policy.

Consider including the following strategies when implementing your Data Classification Scheme:

  • Adopt a best-practice IT management framework such as COBIT, ISO 27000 or ITIL.
  • Rely heavily on the guidance of applicable regulatory and compliance requirements, as your organization is legally or contractually obligated to comply.
  • Attempt to silo different classes of data into their own networks (e.g. VLANS), or drive space (e.g. individual drives, systems or directories dedicated to one type of data) to simplify the application of controls to individual networks, systems and directories instead of attempting to control objects or data directly.

Please share your experiences, tips and remarks in the comments below.

5 thoughts on “Developing & Implementing a Data Classification Policy

  • Good article, Shane. I agree there’s a lot to consider when creating a data classification framework, but especially that the biggest stumbling block may be where to begin with the task of classifying the stores of existing data (once you agree to the framework).

    I’ve seen several organizations start with tagging their known applications, and then that leads to their related servers, databases, and network devices. From there, you can “stop the bleeding” for unstructured data with a tagger like Titus and then start the laborious process of examining the network shares.

  • Good post, thank you.

    Can you recommend any best practices, or resources, to communicate a data classification policy to a large, global employee base? We have policy-related training, however data classification can come across as intangible or worse, overwhelming.

  • Hi, P Plum,
    I suspect your real issue is getting enforcement and compliance with a policy. I think the only real solution in this case is to get buy in from the most senior of leadership possible, preferably the CEO. From there, it will be up to the Data Owners and Data Custodians to work together to ensure the data is properly handled.

    From a technical standpoint, your best bet is to silo highly sensitive data into their own networks/systems, which can be more tightly controlled as needed. This is the approach most organizations tacking PCI and HIPPA compliance challenges choose to take.

    Also, as the commenter, Chris pointed out above, there are also tools that can be used to tag and label data (e.g. TITUS).

    I apologize, I know all these suggestions are easier said than done. Good luck.

  • Shane,
    I don’t recall any of the MAJOR companies I’ve worked in ever having a DC policy. It’s just too overwhelming, and then someone has to police it.

    Not saying it’s not worthwhile, just a high bar. It’s one of those audit issues that is raised, recorded, but is perpetually in progress. Which really means, after a couple years, the issue is risk accepted, actually. Just no one wants to put their signature on that risk acceptance form.

    Maybe that would be a good topic for a future post. A risk acceptance process–what are all the items you should include, who signs off, and who approves.

    • Thanks for chiming in Mack,
      I’ve had the opposite experience, but this is probably a result of my client base, which are mostly healthcare and FINTech companies who are basically forced to create and adhere Data Classification policies to be compliant with HIPAA, SOC2, PCI, etc.

      I’d argue no one in particular should be policing the policy, it should just be part of the way the information security and control structure is designed, and also why I mentioned classifying the networks and assets that process the data and applying appropriate control at that higher level, to basically catch anything that touches those systems and networks.

      I’ll think on the Risk Acceptance process and my past experiences in this area. Thanks!

Leave a Reply