Does Your Business Need a Data Classification Strategy?
"Banks don't give every employee keys to the vault."
It was an obvious statement, but, in this instance, applied not to banks but owners of smaller businesses and how they treat the security of their data. A survey of that topic reported in GetApp had found that almost half of employees of small businesses had more access to data than required for their jobs.
But it got worse. Businesses reported that 12 percent of their employees had access to all data. And so hypothetically one resentful employee, trying to get even or trying to turn a buck, could download proprietary information, including essential technology, and walk out with it. Another target could be customer information, including Social Security numbers. Lists of B2B purchasers, their addresses, preferred products, credit information. Literally, any data.
Why classify data
All large organizations today, from corporations to universities, health care organizations, and nonprofit membership organizations, routinely practice data classification. Why? Data classification is the indispensable first step in ascertaining the required levels of security. The status of the data, as we will discuss, dictates the level of security. Why?
- Most organizations have requirements for data security imposed by governments, business groups, and associations. These requirements range from individual privacy and confidentiality to the highest levels of national security.
- Organizations face consequences that they categorize from "compromising," to "seriously compromising," to "catastrophic" when certain data security is breached. Think of the national news stories on the "catastrophic" breach of customer data security at Verizon.
- All employees require access to data and the easier the access the better. But not all employees require access to legally private, confidential, or proprietary data. Managing access to information is much simpler and cheaper if "public data"—the lowest level of data classification—is segregated from data at higher security levels. It costs money to keep data systems secure—and that should not include public data.
The first step, then, is classification. And the first decision to be made by a business is what classifications are relevant to the business. Let's look at a classification system that is "classic," but nevertheless does the job for even larger organizations. Each classification implies that the data in the class will require a different level of security.
These are three data "sensitivity" levels or categories:
- Restricted Data (the highest level of security). This means that unauthorized disclosure, alteration, or destruction of this information could put your business at significant risk. For some organizations, this category includes, for example, data protected by state or federal privacy regulations. Or data protected by industry, association, or other confidentiality agreements.
- Private data (middle level). This means that unauthorized disclosure, alteration, or destruction of the data could result in a moderate level of risk to the business. In this category goes all data that is not restricted but not "public"—and thus essentially requiring no security.
- Public data (the lowest level). This means that unauthorized disclosure, alteration, or destruction of the data would present little or no risk to the business. Examples of public data might be press releases, catalogs, public announcements, and such. The only concern for a business's public data is that the stored data not be deleted or destroyed.
In many organizations, an employee (or a department in large organizations) is assigned responsibility for classifying data and protecting it with the requisite levels of security. This is sometimes called the "data steward," but, whatever the title, the responsibility of the position is for the "life cycle" of the information. That means responsibility for the data from the time the business acquires it, through its applications to the business, to the end of the period of its usefulness when it is discarded.
Making data classification work
The two challenges to data classification and data security are reviewing and classifying large and constant influxes of new information and maintaining security of the classified information at appropriate levels. Computer data security at various levels is a well-develop specialty. Here, we will focus on the specifics of data classification.
Given the three broad classifications, and the need to associate all data with one of those classifications, how can the task be accomplished without the impossible requirement to consider each individual datum? The answer is to assign to each of the three broad classifications certain subcategories of data. What does that mean?
Much will depend upon the type of business, of course. For example, businesses that deal in any way with patient records will have state and federal security guidelines. And businesses that use credit cards also will come under industry regulations and specifications.
But in most businesses, these kinds of categories of information will be classified automatically as "restricted" or "private":
- Data that comes under federal and state privacy laws and regulations.
- Personal or private data about individuals—customers and employees—such as Social Security number, address, credit card information, account number, or contact information.
- Proprietary information related to any product or process owned by the business.
- Computer access information such as passwords, administrator access, or cryptographic private keys.
Obviously, not all these concerns will apply to all businesses. But for most businesses, there will be additional concerns. When subcategories of data like these are designed as "restricted," "private," or "public" the overall process of classification and assignment of security level becomes easier.
As a rule, whoever is the data steward for a business may decide to assign a single classification to all data that shares a given function or purpose. But one rule does apply, here. When a data collection is classified the classification must be the most restrictive required by any piece of data in the collection. If the collection includes name, address, and Social Security number, then the collection must be restricted because of the Social Security number.
Whatever collections or subcategories are identified to facilitate data classification, it is well to bear in mind that there is not one consideration (security) but several. In providing guidance for the classification of data, many organizations ask data stewards to consider these three parameters:
- Confidentiality requirements must be considered for reasons discussed above.
- Date integrity requirements must be considered, a judgment of the consequences if the data were destroyed, lost, or otherwise compromised.
- Data accessibility requirements must be considered, a judgment of consequences if this data were not accessible to those who need it.
In each category, those who classify data are urged to rate the "potential impact" as low, moderate, or high. Yes, given the very nature of data and why a business collects and protects it, lack of accessibility to those who need it can be as "severe" a problem as potential data security or integrity.
If the business owner or manager once accepts the importance of data classification, there are classification methods and, of course, software to direct and greatly facilitate the process. The essential step--apparently so far taken by about half of smaller businesses--is to assign importance to data classification and corresponding levels of security.
White Mountain IT Services
White Mountain IT Services offers the spectrum of information technology support to businesses throughout New Hampshire and Massachusetts. White Mountain Computer Consulting is top-rated in our region for computer support, IT consulting, expert network support, and can serve as your virtual chief information officer. Our IT support teams have been meeting and exceeding customer expectations for more than 35 years.
The first step is to reach out to us and ask for more information and a demonstration.
Be sure to check back here for information, insights, and updates on IT services and support.