Classify Your Data. The Why's and How's
What is Data Classification
Cyber security attempts to reduce risk posed to the company by bad actors manipulating company data to their advantage at the expense of the company.
Data classification divides data in the company to classes according to predefined criteria. Each element containing (e.g. hard drives, printed paper), processing (e.g. servers, processing applications) or transferring (e.g. cables, switches) data is also classified according to the data it serves.
Data classification is mandated by almost every regulation and information security standard. Many critical cyber security tasks such as permission granting, cannot be done properly without data classification.
Why Classify Data
1. Allocate Security Resources
When planning security measures whether physical, procedural or logical, all organizations work under budget. Classifying data allows efficient security resource allocation.
It seems obvious that a company should allocate more resources to protect against greater risk. The first step to protecting high-risk data is to identify, map and tag that data accordingly.
2. Common Language & Use-Etiquette
When classifying data, the company creates risk associated classes data. When communicated to employees, this creates a common language for employees across different sections and departments to better handle and protect the company's sensitive data.
Properly trained employees classify documents they create and are more selective in the data they use in composing the document. They are also more aware of the risk facing the company and will take greater effort to protect highly classified information.
3. Grant Access to Authorized Personnel Only
One of the more basic but essential ways to protect data is to allow access to authorized personnel only. By classifying data and giving only relevant personnel clearance for that certain classification, we can significantly cut down on the number of individuals accessing that data and by doing so, decrease risk.
4. Best Practices
Classifying data means that you can group data similar in nature. In classifying data, many companies find out that part of their data is for archive purposes for instance. This may lead to storing the data in safe archive storage, freeing up fast storage space as well as increasing backup and DR efficiency and many more IT-related attributes.
5. Preventing Data Leakage
Tagging high risk data can alert security gatekeepers to attempts to access and communicate restricted data. Data Leakage Prevention solutions (DLP) rely on data classification to determine which types of data may be printed, accessed, emailed within or outside the company network etc.
How to Classify Data
In general, classification is done according to the severity of damage manipulation of that data may cause the company. A health care facility will should classify sensitive personal patient information according to the risk it faces from bad actors changing dosage data, exposing patient sensitive data etc.
Data classification should take into consideration a solid risk model to target risk criteria such as Confidentiality-Integrity-Availability while taking into account major risk factors facing the company regarding its data.
Even though there many methods for classifying data there are two key issues to take into consideration when devising a classification system for a company:
1. Keep It Simple: Complexity is the enemy of security. Having a complex, multi-class hard-to-train and harder-to-implement classification system means no one will use it. A simple classification system is easy to communicate, train and use.
2. Risk-Specific: Data classification should reflect the risk facing the company and the measures that should be used to protect it. For instance, tagging data as 'Restricted' indicates that it should be restricted from access of unauthorized personnel. On the other hand, tagging data as 'Classified' says very little about how an employee working with the data should protect it.
If certain data is considered to pose high risk to the company if manipulated by bad actors, equipment processing and transferring that data should be classified accordingly. The switch that transfers the data, the printer that prints it, the server that processes it, the disk that stores it etc. This leads to efficient security resource allocation.
Elements associated with several classifications of data should be classified at the most restrictive classification of relevant data.
Simple & Effective
Maya Security recognizes the undertaking involved in mapping and classifying the entire company data infrastructure which is why we use a simple, relevant risk scale for classification.
Balance sheets are usually very sensitive for most companies. For traded companies, balance sheets are public domain after they're reported. This is why Maya Security tailors the classification system to the company risks and processes.
Usually data will either be classified "Public", "Restricted" or "Secret" – alerting employees and systems to handle and protect that data accordingly.
Have a question? Need help? Email Us