Data classification is as fundamental a part of securing your organization's information as knowing what data you have and who can access it. It's the process of identifying and assigning pre-determined levels of sensitivity to different types of information. If your organization doesn’t properly classify your data, then you cannot properly protect your data.
Let’s take a look at what classification is and why it is important. Then we’ll review a practical example of what data classification looks like.
What is Data Classification?
Data classification not only means understanding what types of data you own, but what you're doing with it. For example, a financial institution holds a person’s mortgage application, which contains a wealth of Non-Public Personal Information (NPPI) like income level, current home address, their previous home address, other loan information, and more. This information needs to be protected. However, the level of protection that is applied depends on the classification it is assigned.
Every organization should have definitions for what kinds of information fits into which categories. Categories often include a common hierarchy of sensitivity: protected, sensitive, confidential, and public. How the categories are named and defined may be somewhat unique to an organization, but there are common categories, such as the above, most often employed. Regardless, having the categories and understanding what type of information each category contains is critical to determine how you manage that information.
Each category must include clear handling guidelines and mandated levels of controls. For example, if you’ve identified a set of documents that contain NPPI, like the above mentioned mortgage application, your policy may say to always encrypt this category of documents when transmitted over public systems. That is one of the controls that you have put in place for information that you have categorized, or classified, as legally protected.
Data Classification Requirements
Depending on the type of organization, there are regulatory requirements around how data is managed. Requirements may vary depending on the categories of data. Should it be encrypted at rest or in transit? Should it be masked when it’s displayed to staff-members who do not need to see it to complete their job duties?
There are both federal and state rules that my impact your organization and the data you hold. It’s important to understand which apply to you and how they all work together. You may face penalties if you are not appropriately classifying and managing your data, especially if there is a breach where legally protected data is exposed.
Data classification is also important for the purposes of privacy. Privacy requirements typically focus on how data is used, not necessarily on how it's managed. For example, you have a list of customers and through analysis, you have determined those who may be ready to buy a new home. How you use that data and how you share that data may be regulated for the protection of privacy.
When developing your data classifications, it’s important to take into account both regulatory requirements, as well as any privacy requirements (which we’re seeing more and more) that may apply to your data.
Why is Data Classification Important?
A proper data classification allows your organization to apply appropriate controls based on that predetermined category data. Remember, your controls often come with a cost. You don't necessarily need to have the same kinds of controls for all kinds of data.
Take an online marketing brochure. You want it viewable to everyone, you just don’t want anyone to be able to alter it. That would take a different level of control than something like a credit file that should only be viewed by certain people. You apply the level of security control that's required for the data that as you've classified it.
Classifying your data can save you time and money because you are able to focus on what’s important, and not waste your time putting unnecessary controls in place.
A Data Classification Win!
Let’s look at an example of how data classification saved a company from having to report an event. In this scenario, a Human Resources Manager, who is very diligent and conscientious of her work requirements, needs to take some raw data home for analysis. She copies healthcare records and personnel files from her network onto her work laptop.
On her way home, she stops off at the grocery store, and locks her laptop in the trunk of her car. Unfortunately, a criminal steals her car using the latest key fob booster trick. The car and laptop are lost, along with the protected healthcare information and personal records for all the employees!
What are the consequences? The records are clearly HIPAA and NPPI! Is it a reportable event? The answer to this depends on how that information was classified by her employer and what controls were in place for the management of that laptop.
Most of the time you get an exemption if the content on the laptop is encrypted, which means it’s not reasonable that someone who has possession of the physical device will be able to access the information on the device. Most regulations at this time say that this is not a reportable event. While you should make a record that it occurred, you do not have to declare it a breach. Because this organization had classified the laptop appropriately and had the proper controls in place, they did not have to report it!
Data classification is an important first step in protecting your information security. Accurately defining your classifications and putting the proper controls in place can mean the difference between having to report a breach or not.