Data classification is one of the most crucial elements of an effective information governance process—yet one that many companies fail to implement well.
In its simplest terms, data classification is the process of categorizing data based on its level of sensitivity. When done properly, the classification of data helps a company determine the most appropriate level of safeguards and controls that need to be in place.
“While we don't see this in practice in a lot of cases, data classification fundamentally is the first step to any sort of security or information risk-management program,” says Dirk Anderson, a managing director for IT governance, risk, and compliance advisory firm Coalfire. Companies don't need to be wasting time and resources deploying firewalls and other information security controls for data that doesn't need protection, even though they very often do, he says.
Without a data classification process, all information gets treated the same. Companies recognize, however, that they need to be “efficient as well as effective” in the way they protect their information, says Cal Slemp, managing director and global leader of the IT security and privacy practice at business consulting and internal audit firm Protiviti. That means putting adequate security controls around their most sensitive data and fewer security controls around less sensitive data.
Data classification begins with an assessment of the following questions:
· What data—unstructured and structured—does the company have?
“While we don't see this in practice in a lot of cases, data classification
fundamentally is the first step to any sort of security or information risk-management program.”
—Dirk Anderson,
Managing Director,
Coalfire
· Where does the data reside?
· What data is the company trying to protect?
· What are the potential risks associated with each data set from a confidentiality, integrity, and availability perspective?
“Take a step back, look at your business processes, and identify what information is used by those business processes,” says Anderson. If the company does background checks, for example, does it store sensitive information about employees? Does HR collect data that may contain protected health information?
The way to get real clarity on data is to initiate a discussion that involves stakeholders from various parts of the organization—legal, compliance, human resources, IT, and the various business units. “It's very much a collaborative effort,” says Michael Rasmussen, chief GRC pundit with research firm GRC 20/20 Research.
To determine which information requires the most safeguards, companies should consider the security objectives they wants to meet. Most companies make the mistake of just thinking about the confidentiality of information, says Anderson. The integrity and availability of that information, however, is “just as critical, if not more critical,” he says.
Considered in that light, companies find that it's not only important to place restrictions on sensitive data, but also to guard against unauthorized changes or destruction of data. On the other end of the spectrum, it's equally important to ensure that the right data is easily accessible to authorized individuals when they need it.
The next step is to classify data into one of four categories:
· Restricted: Requires the highest level of security controls. Examples include proprietary information and data protected by state or federal privacy rules and regulations.
· Confidential: Information in which only specific groups of employees are allowed access. Examples include marketing plans, intellectual property, employee lists, and more.
· Internal use: Information that pertains to employees only. Examples may include employment policies, social media polices, and acceptable use policies.
· Public: Information with no sensitivity attached to it and likely will result in little or no risk if disclosed, altered, or destroyed—such as press releases.
ABOUT THIS SERIES
Compliance Week's six-part series, “The Lifecycle of Information Governance,” sponsored by HP Autonomy, will examine all the elements of handling information properly—from creation to storage to destruction—and how compliance departments should address each element. Click on the links below to access this exclusive series.
Part 1: Crafting an Effective Data Security Policy, Feb. 12
Part 2: Catching and Managing New Data, Feb. 20
Part 3: Get Data Classification Right First
Part 4: Protecting Data From Inside & Outside Threats, March 12
Parts 5 and 6: To Be Announced
Rasmussen recommends that companies take the data classification process even one step further by tagging
the information itself. For example, data classified as
“internal use only” offers little insight into what type of
data it is and what specific controls apply. A more
effective measure is to additionally tag the data as a specific type such as “employment policies,” so you
can have controls that apply to both categories of information for broader protection, says Rasmussen.
At the same time, companies want to take care not to
be “too refined” by having too many data categories, advises Slemp. “A minimalistic view is probably more appropriate.” If an organization has more than ten categories of information, “it's probably worth taking a
step back and asking if you need to be that precise,”
he says.
Data Stewards
Once a company has identified all of its most
sensitive and valuable information, data stewards
should be appointed to oversee the lifecycle of that information. Who the data stewards are “will vary
a little bit from organization to organization,” says Anderson.
Ultimately, they should be individuals who have day-to-day interaction with the information and are most familiar with it. The chief privacy officer, for example, may be the steward for sensitive data, which in some instances may be defined by privacy rules and regulations.
The responsibility of each data steward is to then understand where the data is located; how it is being used; who has access to it; and how long that information is being retained.
Data stewards also have responsibility to clarify how that data should be handled and what the ramifications will be to the company and the employee if the data is not handled in the appropriate way, says Slemp. How data should be protected and managed should be communicated as part of a company's acceptable use policy, he adds.
INFORMATION SECURITY
Below is a table from NIST Special Publication 800-60: Information and Information System Security Objectives:
Security Objectives
FISMA Definition
Currently Use
Fips 109 Definition
Plan to Use
Confidentiality
“Preserving authorized restrictions on information
access and disclosure, including means for protecting
personal privacy and proprietary information...”
A loss ofconfidentiality
is the
unauthorized disclosure of
information.
Integrity
“Guarding against improper information
modification or destruction, and includes ensuring
information non-repudiation and authenticity...”
A loss ofintegrity
is the unauthorized
modification or destruction of
information.
Availability
“Ensuring timely and reliable access to and use of
information...”
A loss ofavailability
is the disruption
of access to or use of information or
an information system.
Source
NIST Special Publication 800-60 (2009).
Another mistake companies make is having a static data-classification process. “Organizations need to be aware that data classification may change throughout the lifecycle,” says Rebecca Herold, an information security consultant. It's important for data stewards to reevaluate the classification of information periodically, based on changes to regulations and contractual obligations, as well as changes in the use of data or its value to the company, she says.
A common example is a public company's earnings statement, which might be confidential until the date of the earnings announcement, at which time it becomes public.
Data classification is one of those processes that needs to have the support from the top, security experts agree. This is because data stewards need to be given the authority to make decisions around how to fully implement the data classification program, Herold says, and also to ensure it is integrated into the company's business practices.
Slemp advises training employees so that they understand the meaning of each classification and what safeguards need to be in place. “How are you communicating those objectives to employees so they are clear about the company's expectations for handling data in certain fashions? What is their specific responsibility in the lifecycle of that data?”
What's important is that companies get the data classification process going, and then worry about ironing out the kinks later. “It's a learning process,” says Slemp. Even if data classification is not achieved immediately, it's the end result that matters the most.
No comments yet