Data Classification - the Gain without the Pain

Posted Thursday, April 23, 2009 - 16:00 by Anonymous

What is Data Classification?

Data Classification is the process of categorising data, usually based on its sensitivity. The category, or classification level, determines the controls that should be in place for data that is assigned to it.

The controls defined may include:

  • access entitlements
  • information marking requirements
  • storage requirements
  • printing requirements
  • copying requirements
  • distribution requirements, and
  • disposal requirements

Most data classification schemes have between three and five levels of classification.

Why do Data Classification?

Organisations choose to classify data for a variety of reasons.

‘Carrot’ Reasons

  • to help identify which information is the most sensitive or vital to an organisation
  • to help identify which protections should apply to which information
  • to help ensure that only authorised people can access information
  • to ensure that information is treated consistently throughout the organisation
  • to provide guidance to system architects and designers, and
  • to save on resources

‘Stick’ Reasons

  • to comply with legislation, and
  • to comply with regulations

Why does Data Classification fail?

Many organisations implement Data Classification, only to find it ineffectual and overburdensome.

The primary reason that Data Classification fails is when the organisation has not properly defined their requirements. This tends to result in overengineered classification schemes and a processheavy approach that is unmanageable.

Another common issue is a lack of user education. You can have the most appropriate and well thought out data classification scheme, but if your users don’t know how to apply it correctly it is just another policy paperweight!

What are other organisations doing?

Many businesses and government departments use data classification schemes.

Australian Government

The Australian Government classifies information and people. For a person to access a piece of classified information, they must meet two conditions:

  • they must have security clearance to the same level – or higher – as the information, and
  • they must have a ‘need to know’

The Australian nonnational security scheme has four levels:

  • Unclassified
  • InConfidence
  • Protected
  • Highly Protected

Private sector organisations

Many private sector organisations classify information but not people. A typical data classification scheme consists of three levels:

  • Public – this information is not sensitive, and can be viewed by all staff members and the public.
  • Restricted – this is corporate information with a medium level of sensitivity. This information does not need to be encrypted, but must be protected using formal access controls.
  • Confidential – this information is highly sensitive and must only be viewed by employees with a need to know and appropriate approvals. This information must be encrypted, and protected using formal access controls.

Other organisations use different category names with similar category requirements, for example:

  • Public Use
  • Internal Use Only
  • Company Confidential

Some companies have more levels in their classification scheme:

  • Unclassified – publicly available information
  • Company in Confidence – sensitive information, requiring formal access controls
  • Company Confidential – very sensitive information, requiring encryption and formal access controls
  • Company Secret – highlysensitive information, accessible only by senior executives with a need to know.

Getting Data Classification right

By taking a structured approach and following a few simple steps you can successfully implement Data Classification within your organisation.

Understand your requirements

Engage your stakeholders, and identify their requirements, up front. You should be talking to your senior managers, information security, HR, legal and IT.

If you are not clear about why you are classifying data, you run the risk of going down to more detail than is necessary, spending a disproportionate amount of money, and ending up with unhappy stakeholders.

Define your classification scheme

When defining your classification scheme, the primary thing to bear in mind is to keep it simple!

Some things to consider when defining the classification scheme:

  • The value of the information – what is it worth to the organisation? What would it be worth to a competitor? What legislation is it covered under? What is the cost to your organisation if the information becomes public?
  • The purpose of the information – is it required for use in different applications throughout the organisation? Or is it only required for a single, discrete purpose? Does it need to be quarantined in some way so that any changes are tracked and controlled?
  • The age of the information – some information might lose its sensitivity over time, and be declassified or reclassified after a given period of time
  • The useful life of the information – the information might become obsolete due to new information coming to light, or for other reasons.

For each classification level, define:

  • The data that belongs in that level
  • The rules for access to the data:
    • who should have what types of access (read, write, create, update, the right to delegate access)
    • how to provide access ? how to remove access, and
    • who can approve changes to access entitlements
  • How data can be identified as belonging to that level (data labelling)
  • How data should be stored
  • Any restrictions on how data can be printed
  • Any restrictions on how data can be copied
  • How data can be distributed, and
  • How data should be disposed.

You will need to write procedures describing some of these activities.

Identify and classify data

Define which data is included in scope, and the rules for how to determine whether something is in or out of scope. This will enable consistent classification when new data comes into play.

Identify the inscope data that exists within the organisation.

For each piece of data:

  • Identify the data owner – this person is responsible for the information asset.
  • Classify the data – talk to the data owner about which classification level they think the data should belong to – bearing in mind the tendency for people to think that the data in their care is of the highest importance. You will need to balance that with the organisationwide view, and the overhead imposed, for each classification level.
  • Define when the data classification should be revisited – this may be openended (i.e. never revisited), or may be set for a time when the data is expected to have lost much of its sensitivity.

Spreading the word

You now have a suite of new policies and procedures that your staff need to know about. Define an education strategy, addressing:

  • who needs to know about your new data classification scheme
  • how often staff should be reminded of the scheme and how it works
  • who needs training in each of the new procedures
  • how staff should apply the classification scheme (give staff examples that are relevant to their daily work)
  • what education channels should be utilised to get the message out (consider online training, facetoface training, and links to policies and procedures on your company intranet)
  • where employees can go to find out what the classification rules are and who in the organisation is available to provide advice on these rules, whenever required.

Congratulations! Your organisation can now reap the benefits of having data classified in a manner that suits its purpose and protects your organisation.