A crucial first step towards ensuring your data is secure is to identify and classify your information assets. Without considering these tasks you will neither know where your assets are nor how to keep them secure. Information
· which assets are more valuable than others
· which assets require additional security controls
Failure to classify data can result in inefficient and costly effort by attempting to secure all assets by assuming that sensitive data is spread across the organisation in both local and cloud or shared storage. This results in some assets being protected excessively and others protected insufficiently.
A mature asset identification and classification process allows an organisation to:
· locate and categorise its assets
· select appropriate security controls for each asset
An inventory of assets including location and ownership are essential steps in your information security asset management program. Locating data has become difficult due to proliferation throughout the organisation on local and cloud-based storage and also the requirement to work from anywhere. Mapping where your data resides is a challenging but necessary task.
The key drivers for asset identification and classifications are often legislation and regulations. Below are some common regulations and guidelines that formalise the classification and categorisation of information assets.
· Canada: Security of Information Act
· European Union (EU): General Data Protection Regulation (GDPR)
· United Kingdom: Official Secrets Acts (OSA)
· United States: NIST Federal Information Processing Standard 199, “Standards for Security Categorisation of Federal Information and Information Systems”
· United States: NIST Special Publication (SP) 800-60, “Guide for Mapping Types of Information and Information Systems to Security Categories” (this is considered the “how-to” manual for FIPS 199)
In this, the first part of a two-part blog, we will look at the different types of data classification and discuss some examples of data classification schemes.
Data classification is the process of organising data into categories or groups according to the sensitivity, criticality, or value of the data. It helps determine the security controls required to protect and manage the confidentiality, integrity, and availability (CIA) of your data and is a cornerstone of data security and risk management. Data classification is often required to maintain compliance with legal and/or regulatory requirements.
There are three main types of data classification:
· Context-based: Metadata such as ownership or location is used to derive values that can indicate the criticality or sensitivity of the data.
· Content-based: Contents of files are inspected to identify sensitive data rather than inferring it from the metadata. Compliance regimes such as PCI involve content-based classification as the classification is derived from the information itself.
· User-based: The manual assignment of data classification based on users’ knowledge of the data and the classification scheme your organisation uses.
Classification Scheme Examples
· Confidential: Usually considered the highest level of classification outside of government or military organisations. The loss or theft of this data can cause serious risk to the organisation. This category of data is usually subject to regulation or controlled by contractual agreement.
· Sensitive: A level of value less than confidential but still important to protect. Losing the data will raise the risk to the organisation, even if it is just reputational damage. Strategy documents or interorganisational correspondence can be considered sensitive.
· Private: Data that might not do the organisation damage but must be kept private for other reasons. Employee retention statistics or salary ranges are often classified as private.
· Proprietary: Data that is released outside the organisation on a restricted basis or contains information that could reduce the organisation’s competitive advantage, e.g. new product specifications.
· Public: Data that if lost would have little or no impact to the organisation. A briefing on proper anti-phishing techniques that does not disclose specific results may be considered public information and is suitable for sharing outside the organisation.
A data classification policy should be in place to allow your organisation to start designing the required security controls for the most effective & efficient protection of the information. Without properly classifying your data you are at risk of insufficiently protecting your critical data or conversely over-protecting your non-critical data.
Data categorisation is often confused with data classification which is a closely related but different technique. Data categorisation is the process of grouping together types of data with comparable sensitivity labels. NIST SP 800-60 states, “Information is categorized according to its information type. An information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organisation or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.”
Categorising data into similar groups of will help your organisation to apply similar security controls to information assets with similar levels of sensitivity.
Data classification helps organisations prioritise their data protection efforts to improve data security and achieve regulatory compliance. Data classification also helps to reduce costs and boost productivity.