In the world of Information Security, it is clearly understood that different types of data are not all treated the same. A data classification system is often the start of risk management to separate sensitive and confidential data. As data protection tends to be expensive, there is a need to layer controls to protect sensitive data and make sure the most critical information is protected the best. This is when we start to classify data using data classification systems.
It is generally known that Governments work with information that is classified as ‘Top Secret’, but what does this actually mean? Data Classification begins by labelling documents with different levels of confidentiality. The levels are assigned names and eventually linked to how they will be protected, transmitted, and used outside and within the business.
Levels of Data Classification
Government organizations usually use five levels of Data Classification: Unclassified, Sensitive, Confidential, Secret, and Top Secret. Although these are often adopted by commercial organizations, there are mostly only four levels: Public, Internal, Confidential, and Restricted. These four are pretty straightforward, and their names describe how they would ideally be handled.
● Restricted data is susceptible, and its access should be limited to only those that need to know. Restricted data is often protected by Non-disclosure Agreements (NDAs) to minimize risk from a legal perspective. Restricted information may include potentially identifiable information (PII), trade secrets, health information, and cardholder data (bank cards). If this information is disclosed, there could be a significant legal or financial impact.
● Confidential information is typically distributed across a team, and its use is generally confined within the business. This information could include contact information, marketing materials, and pricing. If this information is disclosed, it may affect the business negatively and, ultimately, the brand.
● Internal information is distributed company-wide and is usually protected with somewhat limited controls. Internal information could include company-wide memos, various policies, and the employee handbook. If this information is disclosed, it would have a minimal impact on the business.
● Public information can be openly shared on the company’s website, discussed publicly, and with anybody. As the name indicates, this information is public and doesn’t require any controls when distributed.
How to Classify Data
Data Classification Policy
The first step in this process is to have a Data Classification policy and then establish data classification procedures. Once this has been defined, how can information be classified? Although many ways can simplify things and classify information, two primary methods are commonly used. The first involves classifying data treating all PHIPA, PCI, PII (personally identifiable information), and trade secrets as restricted, and building rules in the form of regular expressions in the company’s data management systems that will automatically tag information using technology to help implement the data classification process. Credit card numbers are 16 digits long, and valid cards will pass a mod 10 check. This can be used by technology classifying data to identify credit cards and handle the information associated with them accordingly.
Training Employees in the Data Classification Process
The second is training employees to understand the classification levels and confidential data and get them involved in classifying data according to their intended use and the data classification policy. Although this is often very tricky to do, it is the most effective method because technology struggles to understand data and its context once implemented.
The responsibility of labelling data falls lies with the data owner, who is typically the unit responsible for the data or a business lead. Loyalty Data may, for example, be owned by the VP of Customer Loyalty. The data owner needs to assign the appropriate classification and delegate this responsibility to a custodian. A custodian is the team member responsible for the safe storage, transport and custody of sensitive data. They are also responsible for implementing security controls based on sensitivity levels.
Why Should Information be Classified?
There are various reasons to define data classification objectives and why data should be classified, with the main one being that it makes sensitive information easy to identify. An email sent with a client with a content policy enabled (such as Office 365) and a subject line that begins with the word “RESTRICTED” clearly indicates that the recipient should handle the information with care. Implementing security is expensive, and if high-security controls are applied to sensitive data that needs it and reduce controls on public information, the whole operation becomes much more cost-effective.
Labelling information not only makes it easier for staff to identify, but it also makes it easier for technologies like Data Loss Prevention (DLP) systems to do the same. Restricted information can, for example, be watermarked to ensure it is not distributed outside of the business or printed and stored in insecure locations.
Data classification forms a crucial fundamental component of any security program. It is the framework around which IT security is weaved into information security and ensures the protection of the most sensitive information within a business. Public data is intended to be used widely, and it is expected to be disclosed while medium sensitivity data lies somewhere in between. Implementing data security around layers of security controls based on the classification process as you move up through the types of data to Restricted information is the best way to ensure that security remains cost-effective.