Data Classification: Secure your Data by First Understanding your Data

Many businesses rely on data as a driving factor. Data is collected, processed, and stored by businesses for a variety of reasons. This data is typically sensitive, such as credit card numbers, social security numbers, driving license information, and so on. This information should be kept safe from unauthorized disclosure, modification, or theft at all times. Moreover, companies are under regulatory obligation to implement essential security controls to protect the gathered data. This article explains what is data classification and how it helps an organization maintain the security of its data.

What is Data Classification?

The practice of assessing and labeling data depending on its sensitivity or value to the organization so that it can be used more efficiently is known as data classification. Every piece of information in the company must have a classification tag that instructs anyone who comes into contact with it on how to handle it and ensures that the necessary security measures are taken to safeguard it.

Why do you need to classify data?

One of the reasons for performing data classification is that it aids businesses in determining the security controls that are required to protect data. With the number of data breaches on the rise, it’s more important than ever for businesses to ensure that the data they hold and the process is adequately protected at all times. The goal of data classification is to provide distinct handling requirements and procedures for data use, storage, and deletion at each level.

Data classification is also essential to comply with data and privacy laws. To comply with these rules, the organization must attach relevant labels to the data and preserve the privacy of its data, depending on the jurisdiction in which it operates.

Data Classification assists the organization in determining and allocating resources required for data protection. Not every piece of data has the same value to the organization. Data classification enables organizations to make better use of their resources for data protection.

Data classification also helps you to keep track of the different types of data in your organization and gives you more control over its management.

Criteria for Data Classification:

Different companies collect and store data related to the industry in which they operate. Banks, for example, may collect customer passwords, pins, or credit/debit card information, while mobile carrier companies may gather information such as Social Security numbers, addresses, or driving license numbers. The company’s data can be classified based on its sensitivity and/or criticality. The data’s sensitivity/criticality is proportional to the losses that would occur if it was lost.

The sensitivity of the data can be defined as the losses that an organization would suffer if some piece of information was disclosed to unauthorized individuals. These losses can take the form of financial losses, regulatory fines, reputational damages, and so on.

The criticality of data refers to the loss of data that will have an impact on an organization’s critical business operations. The losses incurred as a result of critical data loss might be either short-term or long-term operational downtime costs. If critical data cannot be recovered in a timely manner, the company may go out of business.

Some of the most commonly used criteria for data classification are:

  • How useful is the data for the organization?
  • What value does the data hold for the organization?
  • The amount of losses incurred due to unauthorized disclosure of the data.
  • How much would it cost to replace the data if it is lost/corrupted?
  • The level of impact due to data modification/corruption.
  • The level of protection dictated by legal or regulatory or contractual obligations.
  • Who should have access to the data?

Classification Levels:

Organizations can create different levels of information classification depending upon their security requirements. To avoid confusion, these levels should be kept simple and not overly complicated. The goal of these classification levels is to ensure that information at each level is subject to specified rules for access, use, storage, and deletion. The auditing requirements for each classification level must likewise be clearly established. For example, confidential information may include an organization’s trade secrets and can only be accessed by senior management. This information will also be subject to stringent auditing, with access and operating logs being closely monitored. The classification schemes for commercial businesses and government institutions are described in this section.

Classification Levels in Commercial Organizations:

The following are some of the most commonly utilized classification levels in commercial organizations:

Confidential: This is the most sensitive information in the company, and its unauthorized disclosure could result in catastrophic consequences for the company. This information is only accessible to senior management and a small group of carefully chosen personnel. Customers’ PII (personally identifiable information), healthcare information, and company trade secrets are all examples of confidential information.

Private: This information is personal information to be utilized within the organization, and its unauthorized disclosure could have an adverse impact on the organization or its personnel. Medical information concerning employees, Human Resources information, and so forth are examples of private information.

Sensitive: This information is internal to the company and must be safeguarded against unauthorized alteration or deletion. Special controls must be in place to ensure the accuracy and integrity of the data. Unauthorized disclosure of this information may not cause substantial harm to the business, but it should nevertheless be protected because there is some risk connected with its exposure. Examples of sensitive information include organizational policies, project details, company memos, and so on.

Public: This information can be shared with parties outside the business by making it available in the public domain, such as via the company’s portal/website. The company would not suffer any negative effects if this information was made public. Information about a company’s services or past projects, office locations, or contact information are all examples of public information.

Classification Levels in Government/Military Institutions:

The following are some of the classification levels commonly used in government and military institutions:

Top Secret: The unauthorized disclosure of this information could cause grave damage to national security.

Secret: The unauthorized disclosure of this information could cause serious damage to national security.

Confidential: The unauthorized disclosure of this information is likely to cause damage to national security.

Sensitive but Unclassified: This information contains minor secrets that should not be made public. The exposure of this information would have no negative consequences for national security.

Unclassified: This information is not sensitive and can be shared with the public.

The Role of Data Classification in Compliance:

Organizations that store and process sensitive data must protect it in compliance with data privacy laws and security standards. The compliance requirements may differ depending on the industry in which the company operates and the type of data gathered and stored by the organization. This section lists some of the most common regulatory frameworks that require businesses to classify their data. These laws are as follows:

SOC2: The SOC2 audit is one of the most essential compliance requirements for businesses. This standard was developed by AICPA (American Institute of CPAs). SOC2 mandates organizations to safeguard the security and privacy of their customers’ data. This standard addresses essential data protection issues, such as security, availability, confidentiality, integrity, and privacy. Organizations must implement data classification to protect the security and privacy of sensitive data throughout its lifecycle in order to achieve SOC2 compliance.

GDPR(General Data Protection Regulation): The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy and protection law that mandates businesses to implement suitable protection mechanisms to secure customer data. GDPR requires enterprises to identify all personal data relating to subjects that is collected, stored, utilized, or destroyed by them and to assess the sensitivity of data in order to apply adequate security controls. As a result, data classification is critical in achieving GDPR compliance.

HIPAA(The Health Insurance Portability and Accountability Act): The Health Insurance Portability and Account Act requires covered entities(healthcare providers, healthcare insurers, medical clearinghouses, and employer-sponsored healthcare plans) to protect the confidentiality, integrity, and availability of PHI(Protected Health Information). HIPAA mandates the organization to identify and classify all the healthcare-related information in order to apply physical, technical, and administrative countermeasures to protect its security and privacy.

PCI DSS(Payment Card Industry Data Security Standard): The PCI DSS standard was developed to ensure that all businesses that collect, store, or process cardholder data implement the essential security controls. The PCI DSS standard requires enterprises to classify data in order to evaluate its sensitivity.

NIST SP 800-53: The NIST SP 800-53 is a set of suggested security and privacy controls to aid in the development of secure and resilient federal information systems. To comply with NIST SP 800-53, organizations must classify data and the systems that hold/process it in order to apply the necessary safeguards to preserve their confidentiality, integrity, and availability.

ISO/IEC 27001: The ISO/IEC 27001 standard lays forth a set of guidelines for creating, implementing, maintaining, and improving an organization’s ISMS(Information Security Management System). The ISO 27001 standard requires enterprises to complete asset inventories, assign security labels to information and information systems, and establish appropriate procedures to ensure their security. According to Information Classification Annex A.8.2 of this standard, the organization must classify information to establish its value to the organization.

Personnel responsible for Data Classification:

The data owner is ultimately responsible for data classification. The data owner is typically the manager of a certain business unit who is most familiar with the data and understands its true worth to the organization. The data owner is in charge of determining access privileges and ensuring the security of the department’s data. He is in charge of defining classification levels for information created by the department based on its sensitivity/importance.

The data owner is also in charge of ensuring that the required security controls are in place to protect the data in accordance with its security labels. He is in charge of determining who has access to the data, the security mechanisms that must be in place to secure it, the data retention period, and the data disposal techniques. The data owner additionally outlines the ramifications of any security violations of the data under his control.

Finally, data owners must periodically review user access privileges and data classification levels in line with changing business and security requirements.

The data owners delegate the responsibilities of data classification implementation, data protection, and data maintenance to Data Custodians. Data Custodians are members of the IT department who are in charge of implementing and maintaining security controls in compliance with organizational policies governing data privacy and security.

How to Establish Data Security Controls:

The establishment of security measures for data is not only dependent on the classification label we assign to it but also on the state of the data. The following are the three data states:

Data at Rest: Data at Rest refers to information that is stored in systems but is not in use. It is the data held in storage devices such as hard disks, solid state drives, flash drives, optical disks, database stores, and so on. This information can be compromised not only by threat actors obtaining access to your company’s network but also through physical means such as the theft of a device containing sensitive data.

A breach of data at rest mandates organizations to send breach notifications to affected individuals, which can result in financial and reputational damages. Encrypting sensitive data kept in information systems is one of the strongest ways to protect data at rest. There are several third-party software packages or tools that can encrypt specific files or carry out whole disk encryption. Organizations that store sensitive information, such as PII or PHI, are required by regulatory laws to encrypt the data at rest and use security controls to restrict access to the stored data.

Data in Use: Data in use is data that is being processed and is stored in a computing device’s primary storage. For example, data stored in a computer’s RAM that is being used in a computer process.

Protecting the sensitive data that is being used is difficult. Even if the entire disk is encrypted, the data must first be decrypted before it can be used, making it vulnerable to attacks. The best technique is to use a defense-in-depth strategy, which ensures that even if one security control fails, other security controls can still protect sensitive information. To secure data in use, organizations can utilize a combination of techniques such as monitoring and prevention of data exfiltration through endpoints, full-disk encryption, and stringent access control.

Data in Motion: The term Data in Motion refers to data that is being transferred between two devices in a network. This could be data traveling within your company’s internal network or data moving outside of the network, such as the internet. With remote work becoming the new normal and employees accessing sensitive company data over the internet, it’s critical to use data-protection strategies.

Encryption is the most effective way to protect data in transit. VPNs(Virtual Private Networks) are one of the most often utilized techniques. A Virtual Private Network (VPN) is a safe and trustworthy communication channel between two devices over the internet. VPNs are typically used to link remote users to company’s network. Before being granted access to the company’s network, remote users must authenticate using strong authentication protocols.

Recommendations for Effective Data Classification:

Some recommendations for improving the efficiency of your data classification program are as follows:

  • Create a data inventory for your company. A data inventory is a list of all the information resources in an organization. You can use data discovery technologies to locate all sensitive information in your company.

  • Specify the classification levels for the information. There are no hard and fast rules for defining data classification levels. The labels to be used inside your organization are determined by your business needs and the type of data that your company stores.

  • Define the data classification criteria. Labels can be assigned to data based on their sensitivity or importance to the organization. Refer to the section “Criteria for Data Classification” of this article for more information on criteria selection.

  • Identify the personnel who will be in charge of data classification and its implementation. For more information, see the section of this article titled “Personnel responsible for Data Classification.”

  • For each level, specify the security controls that are required. These measures can include physical controls such as restricted access to workstations containing sensitive information, logical controls such as encryption of sensitive data at rest or in motion, and administrative controls such as separation of duties.

  • Define the frequency with which the data classification levels will be reviewed. These levels may vary over time as your company’s business objectives change. To guarantee data security, review the data labels on a regular basis to ensure that they are consistent with the data security requirements.

Interested in information security governance, risk and compliance? Enrol in MCSI’s MGRC - Certified GRC Expert.