In a previous post, we shared how to start protecting your sensitive data.
For example, security training is always a good idea, and not just to start; keep it continuous for the life of your business.
And policies? Make sure you have them in your three security control areas: administrative, physical, and technical.
Let's go back to your data inventory. After a thorough inventory process, you should have a good picture of where data resides in your organization and who has access to it.
Since there are varying degrees of data sensitivity, it's time to put your data into specific classification levels. That's where your data classification process comes in.
Data classification is the process of systematically categorizing data based on pre-determined and specific criteria so it can be appropriately secured and protected.
Although you can classify data based on file type, metadata, and size, we'll classify based on content. Classifying by content makes good sense for information security since the most beneficial use of this process is knowing the sensitivity levels of your data.
Why else do we classify? Once we know the data we're dealing with (and the sensitivity levels), we can build appropriate and cost-effective security controls, monitoring, and tools around it. In addition, data classification is a requirement of many compliance standards like HIPAA, HITRUST, PCI DSS, and SOC 2.
In a nutshell, data classification tells us the sensitivity levels of the data we have so we can:
• design appropriate security controls for each level
• meet compliance requirements
• stay cost-effective with both of the above
Now that you have a good idea of the "what and why" of data classification, you're ready to look at some examples of data classification categories, also called levels.
For your data classification process to be effective, you must choose the appropriate number of categories for your organization. Many companies and security experts recommend starting with three levels and building up if needed. Let's look at example sets of three and then four categories.
Three classification levels are a great place to start with your data classification process. It's simple, easy to implement, and covers most business needs. The three levels are public, private, and restricted.
Public data is acceptable for widespread release without much restriction. Examples of public data include marketing materials, job postings, public websites, and product data sheets. In addition, controls protecting public data are minimal.
Private data and documents are for internal use only. You can release them externally only under specific conditions or approvals.
Examples of private data include internal policies and procedures, strategic planning documentation, proprietary designs, and other intellectual property. Leaked private data can lead to reputational damage, lost profits, and losing a competitive advantage.
Some private data controls you may want to implement include monitoring and reporting, encryption, and security awareness training.
Restricted data is highly sensitive, subject to compliance restrictions, and cannot be externally distributed except under specific and approved conditions.
Protected Health Information (PHI), Personally Identifiable Information (PII), and credit card information are some examples of restricted data. Data breaches and leaks involving restricted information might involve legal implications, fines, media coverage, and a lengthy investigation and remediation process.
Put your most comprehensive technical, physical, and administrative controls in place to protect restricted data. Consider data loss prevention, auditing, video surveillance, access control, and advanced training.
Although the previous three levels are a helpful starting place, your organization might need the flexibility of four (or more levels). Let's take a look at the most common classifications for four categories. They are public, internal, confidential, and restricted.
As described above, public data is open to a general audience. Examples include social media posts, website information, and marketing documents. Few, if any, security controls are needed, and disclosure does not violate any company policies or compliance standards.
Internal data is similar to the Private category above. It's for internal use only and includes documents such as standard operating procedures (SOPs), policies, and company emails. Keep internal data protected as there is risk involved if this data is exposed.
The Confidential category is flexible as it can pertain to some internal data as well as your client's data. Some examples of confidential data may include documents designed for smaller teams within your company (like IT or HR) and should be kept within that team only. Or, for client data, it might look like address lists or art files.
Use strong technical, physical, and administrative controls to protect confidential data since breached or leaked confidential information will negatively impact your business.
Lastly, restricted data is the most sensitive data, as described above. It includes PHI, PII, credit card information, and similar data. To protect this data, use your most substantial controls and limit access to key individuals and teams only. Monitoring and auditing data access is critical at this level.
Your data classification strategy will help you prioritize security controls, meet compliance requirements, and control risk in your organization. Whether you go with three levels or four, the classification process enables you to benefit most from your security controls. At the same time, it reduces risk and helps identify potential threats. Make sure it's part of your overall data protection strategy.
Protect your sensitive data by finding a secure print partner who knows data classification. Download our FREE Secure Marketing Communications Checklist now!