Cyber and Information Security – How to series #7
Classifying your Data
Why do it? Were not in the Secret Service!
Just as you might lock away or hide your valuable jewellery at home, whilst leaving the everyday jewellery and non-sentimental trinkets on the dressing or bedside table. You should be doing the same with your data.
But how do you tell what is valuable to the organisation and what isn’t? How do you work out what your crown jewels are? Quite simply, by working out what is important, valuable or sensitive to your organisation and then classifying it accordingly.
What actually do we mean by Data Classification?
Data classification is the process of organising data based upon the following criteria:
- Value of Information – based on impacts assessed during risk assessment
- Sensitivity and Criticality of information – based on the highest risk calculated for each information item during risk assessment
- Legal and contractual obligations – based on Legal, Regulatory, Contractual and other obligations.
The process is of particular importance when it comes to risk management, compliance, and data security. And on a basic level, the classification of data makes it easier to secure, locate and retrieve.
It is important to state that he amount of information that falls into a “Confidential” category (or whatever terminology you use for the most sensitive data) should be carefully limited; the cost and operational inconvenience of protecting it properly is such that it needs only to be information whose release can significantly damage your organisation.
Alongside the classification aspect is also “Marking” and “Handling”. Marking is simply labelling (physically) the documents, drawings, scans and emails according to your classification.
Stickers, Footer and Heading templates. Watermarks and others can all be used.
What it means in practice is that when the last person before you has gone home for the day and you are locking up, just as the contract cleaners are coming in and you notice a document on a desk that is marked as “Confidential”. That you will know, without doubt that it should not be left on that desk, and that you know that it needs to be locked away thereby preventing a possible data breach or theft of intellectual property from taking place.
The reason you know that the confidential document should not be left on a desk overnight and in full view of unauthorised persons (the outsourced cleaning company) is because attached to the classification determination there are also handing restrictions (what you can and cannot do with the document) that apply. These restrictions are more restrictive the greater the level of classification given to the information and less so for the lower grade material.
Types of data (the classifications shown are illustrative – you can choose your own)