Discovery Leads to Classifying
Part One of Data Discovery described SecureState’s methodologies and implementation for gathering and identifying sensitive data that is stored, processed, and transmitted within the environment. Part Two describes what an organization can do with the knowledge and details they obtained when the Data Discovery assessment is complete; basically, “I have found sensitive data, now what should I do with this information?” The easiest answer is: remove all sensitive data to reduce the scope and attack surface area of the organization. However, we rarely see this as an applicable solution. Instead, the answer normally involves a more detailed and systematic approach to understanding why data exists, its impact, and its value to the organization. The answer more likely becomes: reduce data sets, locations, need-to-know, access, and properly segment and protect that data. A Data Classification Program can be the next step to building a secure environment around sensitive data sets.
Classifying data is the process of categorizing data assets based on nominal values according its sensitivity (e.g., impact of applicable laws and regulations). For example, data might be classified as: public, internal, confidential, or highly confidential; or perhaps restricted, regulatory data, top secret, etc.
Data and information assets are classified respective of the risk of unauthorized disclosure, modification or access (e.g., lost or stolen inadvertently or nefariously). High risk data, typically classified “Confidential” requires a greater level of protection, while lower risk data, possibly labeled “internal” requires proportionately less protection.
Large data stores, such as databases, tables, or files carry an increased risk, since a single event could result in a large data breach. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.
An Example of a Data Classification System:
- Public – information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to company disclosure rules, is available to all employees and all individuals or entities external to the corporation. Examples include:
- Publicly posted press release
- Publicly available marketing materials
- Publicly posted job announcements
- Sensitive – information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel who have a legitimate reason to access it. Examples include:
- General employment data (e.g., excluded SSN, salary)
- Business partner information where no more restrictive confidentiality agreement exist
- Confidential- highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. Confidential data have a very high level of sensitivity. Examples include:
- Medical records
- Social Security Numbers
- Regulatory Data- Regulatory Data is information protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Regulatory Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a need-to-know basis. Regulatory Data:
- Must be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure as dictated by the regulating body or council
- Must be destroyed when no longer needed. Destruction must be per the body or council data policies
- Will require specific methodologies, procedures and reporting requirements for the response and handling of incidents
- Examples of Regulatory Data:
- Payment Card Industry (PCI)
- Sarbanes–Oxley Act (SOX)
Classification Can Determine Impact:
A company should adopt a common set of terms and relationships between those terms in order to clearly communicate and begin to classify data types. By classifying data, the company can prepare generally to identify what the risk and impact of a potential incident or data breach would be based upon what type of data is involved, and what controls should be implemented to prevent access. The classifications as listed below in this example (public, sensitive, confidential and regulatory) give a basis for determining the impact based upon the level and type of access to data. Together, data classification and level of access drive the business impact, which will determine the response, escalation and notifications of incidents, and should determine the security controls required for the data types. SecureState’s Incident Response Team(IR) is comprised of industry experts with experience in Military Intelligence, Law Enforcement, and Big X Consulting. The IR Team at SecureState helps to manage and facilitate the response and readiness capabilities of an organization and identifies and develops business impact and planning, as well as becoming an essential keystone within the enterprise to ensure the security program matures.
Below are general charts used within Incident Response Plans that describe the impact, notification and escalation, and security controls all based around data classification.
Impact: The first chart describes how to measure impact: On the left side of the chart are types of events and potential access to the types of data (classification) as defined at the bottom of the graph. Together, this defines the impact of potential incidents.
Notification and Escalation: The second chart defines the notification and escalation based upon how the impact was assigned. The impact of an incident or potential data loss drives the notification and escalation of who to call and when to call them. Establishing a defined N&E is essential to properly validate, contain and eradicate incidents.
Controls: The final chart describes security controls that could be implemented around specific data types. The policies that address data classifications should define general security controls for the access, sharing, storage and destruction to specific data types. The higher the security control is proportional to the impact level when data is accessed; for example, if confidential data requires strict security controls, unauthorized access or disruption to that data would dictate a higher impact and quick resolution.
End Result. Classifying data not only makes good sense, but it defines data protection requirements, specific to data sensitivity. Once you know which data needs the most protection, you can properly allocate funds and resources to defend those assets, thereby reducing the scope, time, effort and resources needed to protect what’s truly important. Employing a proper data classification scheme is cost effective, as it allows a business to focus on protecting its higher risk data assets. For an example, businesses that do not have a data classification system must treat all data as highly confidential, and blanket the entire organization with the highest level of protection and controls. We know, however, this rarely happens. We consistently see large gaps in security controls around data sets, we discover data sets on systems without a need to store or process that data or stringent security controls, and companies just don’t have the resources to allocate a blanketed approach to security. Furthermore, we often observe the wrong controls are being applied to protect the data. For example, employees may shred public information but recycle confidential information because they do not have clear guidance on what to do.
The next blog will dive deeper into identifying and developing the proper security controls and protective measures to guard the confidentiality and integrity of the data. Information sharing controls, storage and transmission controls, and destruction controls provide the framework for tactically addressing data security.
If you need help, SecureState’s extensive experience in the government and commercial sectors gives us the skill set and experience needed to design your data classification program.
Data Discovery – Part 1
Data Discovery – Part 3