One of the most urgent steps that many organizations are facing in their information security program is that of data classification. While this, and role-based access controls, are two of the most critical processes in the changing security landscape, they are also two of the most painful. Many organizations do not even know where their data is located, stored, processed or used to a full extent and are spending a great deal of resources just understanding “what they have” and “how it is used”.
While knowing where the data is and how it is used is essential, organizations must also embrace some type of mechanism for classifying data. In some cases this can be as easy as creating a standard set of data definitions such as Private Identity Data, Internal Use Only, Customer Confidential, etc. and then building a policy around how data of each type is to be created, managed, stored, processes, handled and destroyed. For many small businesses, this can be a relatively small undertaking and when done right can provide a real improvement in security – IF EVERYONE FOLLOWS THE RULES.
In larger organizations, classifications may be more diverse. There may be Private Employee Identity Data, Private Employee Healthcare Data, Customer Private Identity Data, Internal Use Only, Customer Confidential or others. Many organizations even go a little wild with this and build small acronyms and/or a legend into their policy so that you can label a word document of a contract with a client something like CCC for Customer Confidential – Contracts” or even worse, they will add a department code followed by some acronym that the department heads have made up. This is where the pain gets excruciating!
At MSI, we are big supporters of keeping the classifications as simple as possible. In most cases we are able to stick with “PII” for personal identity information, “Internal Use Only” for sensitive data not to be released outside of the company, “Confidential” for data that must be protected from all eyes except the intended participants and maybe a small set of divisions for other data outside of these such as HR, Finance, M&A, HIPAA, GLBA, etc. depending on what groups need to access the data or what regulations apply to the data. Of course, these can then be added to folder names, document headers, meta-tags and the myriad of other places used to quickly identify data.
Once you get your head around a working group of classifications, then comes the next task – identifying the appropriate controls for each type of data. That process takes experience, insight into specific business processes and a lot of patience. Start with data classification, though, and then build from there. As security evolves and becomes more nuanced, those with data classification schemes in place will be ahead of the coming curve. In the future, not all data will be treated or regulated the same, so make it easy on yourself and get started with data classification as soon as you can!