26 September 2018
Data Classification – What data are we holding?
The moment your organisation starts recording customer or client data it becomes your responsibility to protect and secure that data. Not only is this good practice – it is the law. These responsibilities also stretch to data recorded about internal employees. However, security strategies are not just about personal information – Any proprietary or confidential intellectual property, whilst not necessarily covered by privacy laws, should be secure – it’s good business practice.
The first step in creating a security strategy is to identify what types of data your organisation holds. Data classification is intended to allow an organisation to operate effectively whilst protecting sensitive data. Classification schemes differ from organisation to organisation but it’s best to make them as simple as possible.
Below is a sample data classification scheme:
Public: Data that may be freely disclosed to the general public. Eg – Marketing Material, Contact information
Internal Only / Proprietary and non-sensitive: Internal data that is not meant for public disclosure. Eg – Staff organisation charts, Sales scripts
Confidential / Proprietary and sensitive: Sensitive data that if compromised could negatively affect operations: Eg – Vendor Contracts
Restricted: Highly sensitive corporate and customer data that if compromised could put the organisation at financial or legal risk: Eg Intellectual Property, Credit Card Information, Social Security Information, Private Health information.
Confidential and Restricted categories can be split into sub-categories to indicate regulatory relevance or further access control models that may be required. Below are examples of such sub-categories that should be added for clarity:
• GDPR – General Data Protection Regulation
• PCI – Cardholder Data (Payment Card Industry
• HIPAA – Health Insurance Portability and Accountability Act
Within an organisation, the process of determining the classification of data should be organised around your business’ processes and classification should be driven by the processes owners and key stakeholders.
Ask yourself the following questions:
• What data does your business collect?
• What data do you create about customers partners?
• What proprietary data do you create?
• What transactional data do you deal with on a daily basis?
• Of all the collected and created data, what is categories and subcategories does it fit into?
Once you have your data classified you are ready to move to the second step of your creating your security strategy – Identifying where data is stored. Stay tuned for more information.