The First question that comes to my mind is “why do we need Data Classification” is it required? Or if it is required “What would be the Criteria to classify the Data in my environment” and last would be “How do we Implement this”.
An answer to this question is YES. Because some DATA need more security than other data. Hence, it is inefficient to treat all data the same way when designing and implementing a security system.
More sensitive data, such as human resources or customer information, can be classified in a way that shows that disclosure has a higher risk. Information data, such as those used for marketing, would be classified as a lower risk. Data classified at a higher risk can create security and access requirements that do not exist for lower risks, which might not require much protection altogether.
Data classification helps ensure that the data is protected most cost-effectively.
The classification is different in every company, but in general, there are two main groups:
Now, we understand the importance of Data Classification. Immediate question would be What would be the Criteria to classify the Data into the categories as mentioned above? Below are some of the general consideration points that can be utilized for classification of Data.
Data Classification Criteria
After the classification scheme is identified, the organization must create the criteria for setting the classification. No established guidelines exist for setting the requirements, but some considerations are as follows:
- Who should be able to access or maintain the data?
- Which laws, regulations, directives, or liability might be required in protecting the data?
- For government organizations, what would the effect on national security be if the data were disclosed?
- For non-government organizations, what would the level of damage be if the data was disclosed or corrupted?
- Where is the data to be stored?
- What is the value or usefulness of the data?
And the final step would be “How do we Implement this”? Refer to the below steps to implement Data classification in your organisation.
Data Classification Procedures
- Identify Data custodian responsible for maintaining data and its security level and define responsibilities
- Specify the criteria of how the information will be classified and labelled.
- Specific the owner set of the classification
- Document exceptions
- Select the security controls that will be applied to each classification level.
- Procedures to declassifying the data
- Create Security awareness program
Data that is top secret includes weapon blueprints, technology specifications, spy satellite information, and other military information that could gravely damage national security if disclosed. Data that is secret includes deployment plans, missile placement, and other information that could seriously damage national security if disclosed. Data that is confidential includes strength of forces in the United States and overseas, technical information used for training and maintenance, and other information that could seriously affect the government if unauthorized disclosure occurred. Data that is sensitive but unclassified includes medical or other personal data that might not cause serious damage to national security if disclosed but could cause citizens to question the reputation of the government. Military and government information that does not fall into any of the four other categories is considered unclassified and usually has to be granted to the public based on the Freedom of Information Act.