Data Classifying Leads to Data Controls
Part One of Data Discovery described SecureState’s methodologies and implementation for gathering and identifying sensitive data that is stored, processed, and transmitted within the environment. Part Two described what an organization can do with the knowledge and details they obtained when the Data Discovery assessment is complete. Part Three dives deeper into identifying and developing the proper security controls and protective measures to guard the confidentiality and integrity of the data. Information sharing controls, storage and transmission controls, and destruction controls provide the framework for tactically addressing data security.
Let’s recap how to generally classify data, which is the process of categorizing data assets based on nominal values according its sensitivity (e.g., impact of applicable laws and regulations). Basically, the organization’s data and data entrusted to the organization from third parties falls into four major classifications as an example: Public, Internal, Confidential, and Regulatory. Classifying this data into meaningful labels can initially be accomplished by using the following tables:
Corporate Confidentiality Requirements Description Examples
| ||Description ||Examples |
|Public Data |
| || |
- Data that is not confidential and can be made public without any implications for the Organization.
- Loss of data availability due to system downtime is an acceptable risk.
- Product brochures widely distributed
- Data widely available in the public domain, including publicly available the Organization websites.
- Published Financial reports required by regulatory authorities
|Internal Data |
- Data is restricted to data owner approved access and protected from external access.
- Unauthorized access could influence the Organization’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence.
- Must be stored in a closed container and destroyed when no longer needed.
- Is the “default” classification ifone has not been defined explicitly.
- Passwords and data on corporate security procedures
- Know-how used to process client data
- Standard Operating Procedures used in all parts of the Organization’s business
- Product formulations
- Processing conditions
- Electronic transmissions from clients
- Product data generated for the client by the Organization production activities as specified by the client
- Customer lists
- Data claimed by a customer as confidential
- Confidential customer business data and confidential contracts
|Confidential Data |
- Key Business Data
- Key Personnel Data
- Key Financial Data
- Data created and used by the Organization in the conduct of its business to employ people, to log and fulfill customer orders, and to manage all aspects of corporate finance
- Access to this data is restricted within the Organization. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
- Disclosure of Confidential Data to parties outside the Organization must be authorized by executive management.
- Salaries and other personnel data
- Accounting data and internal financial reports
- Non-disclosure agreements with clients\vendors
- the Organization business plans
- Non-public data which gives the Organization any kind of advantage over its competitors.
- Non-public financial data
- Research data
- Medical records
- Social Security Numbers
- Personnel and/or payroll records
|Regulatory Data |
| || |
- Information protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents.
- Sensitive in nature, and access restricted. Disclosure is limited to individuals on a need-to-know basis.
- Must be protected and destroyed to prevent loss, theft, unauthorized access, and/or unauthorized disclosure as dictated by the regulating body or council
- Any data identified by regulatory body/ counsel to be protected
The following procedures provides basic requirements for protecting the privacy and security of data at varying sensitivity levels while at rest, in transmission, and through the disposal process. The Organization’s data associated with each sensitivity level may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the process being assessed. It is the responsibility of the Data Owner to classify and label his or her information assets and ensure that the appropriate protective measures are in place to secure the confidentiality of the information. The Data Owner may delegate responsibility for the operation and maintenance of the security controls to a Data Custodian (for example, someone in IT), but the Data Owner is still accountable for the security of the information.
|Stage ||Description ||Role |
|Classify || |
- Determine the appropriate classification level for the data:
|Data Owner |
|Label || |
- Affix labels on physical assets (printed documents, backup tapes, CDs/DVDs, etc.)
- Record the classification level for the asset in one of the Organization’s inventory systems (typically used for centrally managed cyber assets such as applications, databases, and technical/network infrastructure)
- Include classification level in the footers of electronic documents and emails
- Include classification on system authentication or login screens
|Data Owner |
|Protect || |
- Identify the appropriate protective measures for the asset based on the asset’s classification
- Implement the appropriate protective measures
- Monitor the correct functioning of, and compliance with, the protective measures
|Data Owner or Data Custodian |
Begin to classify data by using flow diagrams like the example below:
Labeling is the practice of marking an asset with its appropriate classification level so it can be easily seen by others and appropriately handled. There are several methods for labeling information assets, examples can include such things as:
- Electronic information assets that can be printed should contain a confidentiality symbol in the document footer on every printed page.
- Physical assets should be stamped with the appropriate classification level using the specially designed classification stamps.
- Any assets that cannot be stamped should be labeled using a pre-approved printed sticker.
After classifying and labeling an information asset, the next step is to apply the proper security controls or protective measures to guard the confidentiality of the asset. The following tables summarize the framework used to annotate security controls for sharing and storing information according to the classification level, and are used just as an example of what a Data Classification program would entail. The framework includes data protection controls for: Information Sharing, Storage, and Destruction.
Information Sharing Controls:
Data is a critical asset of the Organization, its business partners, and its customers. All individuals employed by the Organization are responsible for protecting the confidentiality, integrity, and availability of the data generated, accessed, modified, transmitted, stored and/or used by the Organization, irrespective of the medium on which the data resides and regardless of format. The protection of the Organization data is governed by a growing collection of international, federal and state laws relating to privacy and security. Through a number of legal statutes and regulations, the Organization may now have a legal responsibility for the protection of employees, contractors, customers, suppliers and business partner’s data.
If you need help, SecureState’s extensive experience in the government and commercial sectors gives us the skill set and experience needed to design your data discovery, data classification, and data security control programs.
Data Discovery – Part 1
Data Discovery – Part 2