What are the three main types of data classifications discussed in this course safe schools?

Learn about the different types of classification and how to effectively classify your data in Data Protection 101, our series on the fundamentals of data security.

Data classification is broadly defined as the process of organizing data by relevant categories so that it may be used and protected more efficiently. On a basic level, the classification process makes data easier to locate and retrieve. Data classification is of particular importance when it comes to risk management, compliance, and data security.

Data classification involves tagging data to make it easily searchable and trackable. It also eliminates multiple duplications of data, which can reduce storage and backup costs while speeding up the search process. Though the classification process may sound highly technical, it is a topic that should be understood by your organization’s leadership.

Reasons for Data Classification

Data classification has improved significantly over time. Today, the technology is used for a variety of purposes, often in support of data security initiatives. But data may be classified for a number of reasons, including ease of access, maintaining regulatory compliance, and to meet various other business or personal objectives. In some cases, data classification is a regulatory requirement, as data must be searchable and retrievable within specified timeframes. For the purposes of data security, data classification is a useful tactic that facilitates proper security responses based on the type of data being retrieved, transmitted, or copied.

Types of Data Classification

Data classification often involves a multitude of tags and labels that define the type of data, its confidentiality, and its integrity. Availability may also be taken into consideration in data classification processes. Data’s level of sensitivity is often classified based on varying levels of importance or confidentiality, which then correlates to the security measures put in place to protect each classification level.

There are three main types of data classification that are considered industry standards:

• Content-based classification inspects and interprets files looking for sensitive information
• Context-based classification looks at application, location, or creator among other variables as indirect indicators of sensitive information
• User-based classification depends on a manual, end-user selection of each document. User-based classification relies on user knowledge and discretion at creation, edit, review, or dissemination to flag sensitive documents.

Content-, context-, and user-based approaches can be both right or wrong depending on the business need and data type.

Determining Data Risk

In addition to the types of classification, it’s wise for an organization to determine the relative risk associated with the types of data, how that data is handled and where it is stored/sent (endpoints). A common practice is to separate data and systems into three levels of risk

• Low risk: If data is public and it’s not easy to permanently lose (e.g. recovery is easy), this data collection and the systems surrounding it are likely a lower risk than others.
• Moderate risk: Essentially, this is data that isn’t public or is used internally (by your organization and/or partners). However, it’s also not likely too critical to operations or sensitive to be “high risk.” Proprietary operating procedures, cost of goods and some company documentation may fall into the moderate category.
• High risk: Anything remotely sensitive or crucial to operational security goes into the high risk category. Also, pieces of data that are extremely hard to recover (if lost). All confidential, sensitive and necessary data falls into a high risk category.

Note: Some also use a more granular scale, adding “severe” risk or other categories to help further differentiate data.

Using a Data Classification Matrix

Creating and labeling data may be easy for some organizations. If there aren’t a large number of data types or perhaps your business has fewer transactions, determining the risk of data and your systems is likely less difficult. That said, many organizations dealing with high volume or multiple types of data are likely to need a comprehensive way of determining their risk. For this, many use a “data classification matrix.”

Creating a matrix rating data and/or systems from how likely they are to be compromised and how sensitive that data is will help you quickly determine how to better classify and protect all things sensitive.

An Example of Data Classification

An organization may classify data as Restricted, Private or Public. In this instance, public data represents the least-sensitive data with the lowest security requirements, while restricted data is in the highest security classification and represents the most sensitive data. This type of data classification is often the starting point for many enterprises, followed by additional identification and tagging procedures that label data based on its relevance to the enterprise, quality, and other classifications. The most successful data classification processes employ follow-up processes and frameworks to keep sensitive data where it belongs.

The Data Classification Process

Data classification can be a complex and cumbersome process. Automated systems can help streamline the process, but an enterprise must determine the categories and criteria that will be used to classify data, understand and define its objectives, outline the roles and responsibilities of employees in maintaining proper data classification protocols, and implement security standards that correspond with data categories and tags. When done correctly, this process will provide employees and third parties involved in the storage, transmission, or retrieval of data with an operational framework. The video clip below gives techniques for classifying sensitive data and is from our webinar, How Classification Defines Your Data Security Strategy, which is presented by Garrett Bekker, Senior Analyst, Information Security at 451 Research. You can watch the full webinar here.

Policies and procedures should be well-defined, considerate of the security requirements and confidentiality of data types, and straightforward enough that they are easy for employees promoting compliance to interpret. For instance, each category should include information about the types of data included in the classification, security considerations with rules for retrieving, transmitting, and storing data, and potential risks associated with a breach of security policies.

GDPR Data Classification

With the General Data Protection Regulation (GDPR) in effect, data classification is more imperative than ever for companies that store, transfer, or process data pertaining to EU citizens. It is crucial for these companies to classify data so that anything covered by the GDPR is easily identifiable and the appropriate security precautions can be taken.

Additionally, GDPR provides elevated protection for certain categories of personal data. For instance, GDPR explicitly prohibits the processing of data related to racial or ethnic origin, political opinions, and religious or philosophical beliefs. Classifying such data accordingly can significantly reduce the risk of compliance issues.

Steps for Effective Data Classification

• Understand the Current Setup: Taking a detailed look at the location of current data and all regulations that pertain to your organization is perhaps the best starting point for effectively classifying data. You must know what data you have before you can classify it.
• Creating a Data Classification Policy: Staying compliant with data protection principles in an organization is nearly impossible without proper policy. Creating a policy should be your top priority.
• Prioritize and Organize Data: Now that you have a policy and a picture of your current data, it’s time to properly classify the data. Decide on the best way to tag your data based on its sensitivity and privacy.

There are more benefits to data classification than simply making data easier to find. Data classification is necessary to enable modern enterprises to make sense of the vast amounts of data available at any given moment.

Data classification provides a clear picture of all data within an organization’s control and an understanding of where data is stored, how to easily access it, and the best way to protect it from potential security risks. Once implemented, data classification provides an organized framework that facilitates more adequate data protection measures and promotes employee compliance with security policies.

Additional Data Classification Resources

Tags: Data Protection 101

TL;DR: A data classification policy categorizes your company’s information according to the risk its exposure poses to your organization. This article will cover three essential categories you need to include and outline the steps you can take to implement these policies. Effective information classification improves operations, saves money, and prepares you to meet compliance requirements. And it’s just good security hygiene. Want to learn more? Read on.

What Is a Data Classification Policy?

A data classification policy categorizes your company’s information according to the risk its exposure poses to your organization. Through this policy, you will define how company data should be classified based on sensitivity and then create security policies appropriate to each class.

Data classification generally includes three categories: Confidential, Internal, and Public data. Limiting your policy to a few simple types will make it easier to classify all of the information your organization holds so you can focus resources on protecting your most critical information.

Benefits of Data Classification

When thinking about securing your company’s systems and information, it’s easy to approach it from strictly a technical point of view. You might be worried about things like making sure systems are protected with antivirus, that you have an effective firewall protecting your network perimeter, and that your data is backed up.

But you also need to ask what kind of protections you are wrapping around the day-to-day handling of the data itself. How would you know if a piece of information was appropriate only for internal use or acceptable to share on the company’s public website?

A well-thought-out information classification policy can help you answer these questions and more. Notable benefits include:

• Clarity. Data classification helps teams understand what information exists within the organization, where data is stored, and how to access it. Classification is an essential step when developing the rules, processes, and procedures you will use to protect sensitive information.
• Compliance. Promote a culture of compliance at your organization with a clear strategy for data governance. Categorizing your data according to sensitivity will help you protect your confidential and classified information. It will also help your organization meet regulatory requirements, avoid penalties, and guard against mistakes that could harm your reputation.
• Savings. You can use data classification to focus on controls on truly critical information—you do not need to treat your catered lunch menu with the same controls as your credit card data. This targeted approach helps you make smarter choices when investing in security controls, which in turn saves you money.

How to Classify Your Data

There are generally three classes of data, determined by sensitivity:

Confidential data

Consider confidential data to be your company’s crown jewels. If it were to get out of your hands, this information could cause severe reputational and financial harm to your organization. Confidential information includes virtually anything that provides your business with a strategic advantage. Companies often use Confidential data as the focal point for building out the rest of their administrative, physical, and technical controls.

Internal data

Internal data is information that would cause moderate risk or harm to the company if it was leaked. This list includes sensitive credentials and other secrets as well as corporate policies and other guidelines.

Public data

Public data is any information included on (or intended for) your corporate website. Essentially, there is no consequence if Public data is leaked because it’s already meant for the public.

Some organizations might create a fourth category called “Restricted” for credit card information, IP, PHI, etc. and apply the “Confidential” label to information that could affect operations (such as vendor contracts and employee reviews).

Regardless of what category scheme you choose, aim to keep it simple to make category decisions as straightforward as possible for your data classification policy. Creating too many options will ultimately frustrate your users and increase the risk of information being labeled inappropriately.

Data Classification Policy Examples

The chart below offers some examples to get you started.

How to Implement a Data Classification Policy

Once the information is classified, begin applying the categorization to some internal data.

One easy place to start is your company handbook or binder of policies. Edit your guidelines to include an “Internal” label that is visible. Continue sifting through other company documentation, and make sure you have labeled some examples of each classification type.

Next, develop a few training modules to help existing employees learn how to classify data and handle each type of data class. Document this training and offer it to your future hires as well.

As you gain momentum in this process, you will likely find some information easy to categorize. Other classification decisions may need to involve other business units such as your legal and security teams.

These questions can help guide the process:

• Where is this data located?
• Who is responsible for backing it up and enforcing access permissions?
• Who can speak to the sensitivity of the data?
• What department budgets for the expenses associated with collecting, storing, and processing the information?

To make this effort easier for everyone involved, leverage tools to help automate and streamline the classification process. These tools typically analyze and categorize data based on predetermined parameters and quickly process large data sets. You can also add your own rules to classify data based on sensitivity. Start by taking an inventory of your data so you know where it lives and how sensitive it is, and then label it to ensure proper handling.

Once the classifications efforts are complete, review them yearly to certify they are still accurate. And remember to update your procedures around handling data sets if you change their classification. A SOC 2 data classification policy is critical as you build proper data security practices.

Don’t let SOC 2 ruin your life! Check out Comply, an open-source repo for resource management and pre-authored policies.

And if you need help managing and tracking access to infrastructure, contact StrongDM for a free, no BS demo today.