Your data is important to you and you want to keep it safe. But setting up the most strict security measures for all your data is most likely an overkill of costs and resources. Data classification helps you to put your data into data categories and set specific security measures per category. This helps in managing the costs and required resources needed to secure the data.
How
The standard step used by organizations to categorize the data is to classify the data. In this step you determine how important the data(set) is to your organization. Most organizations use 3 categories for the classification process, but some organizations use a 4th category. The most uses categories for data classifications are:
- Public
All information that is accessible in the public domain can be used, reused and redistributed by anyone. - Internal / Confidential
All information that is intended for use within the organization or its contractors. Unauthorized access, modification or removal could mean a medium or high risk to the organization. - Sensitive / Secret
All information that is intended for a limited group of employees or contractors. Unauthorized access, modification or removal will mean a high risk to the organization.
To put your data into these categories, you need to understand what data you (will) have and why you need it (its purpose). When you know which data you need to classify, you can use multiple methods to classify it.
Using the CIA method is the most common and quickest way. CIA stands for Confidentiality, Integrity and Availability. For each of the CIA letters you determine the classification. Depending on the outcome, the security measures are set. For example, a internal memo to all employees could have the following classification: C=Medium, I=Medium, A=Low. As the highest score is Medium, this would result in a classification of Internal / Confidential.
Another method is using a Business Impact Analysis which is a bit more extensive that the previous method, but it will provide you a better and clearing insight into the importance of the data you are classifying.
For each classification category you can set appropriate security measures. Have a look at the related posts section below or check out our Controls menu.
Risks
In order to setup a classification policy that will actually be used by the organization, you need management support. This is true when implementing any policy, but as data classification is related to most security controls, it is extra important to have management support you on this.
Don’t use more categories than absolutely needed. Having to many categories will require more administration. Most companies don’t want administration just to administrate it, so you need to explain them why additional categories is required and no other solutions are possible.
Setup a classification process which is supported by the organization. If you organization is just starting in a security certification process, you might want to keep it simple, but if your organization has already experience in classification, you might want to extend the classification process by including Business Continuity requirements, like Recovery Time Objectives.
Example Policy Content
An example data classification policy can be downloaded below. Note that this is just an example policy and specific adjustment might be needed before you can use it within your own organization.
Related links
Gartner on Business Impact Analysis
ISACA IT Asset Valuation, Risk Assessment and Control Implementation Model
