Data Classification Policies - Part 2: Categories of Data
Data classification policies define the categories for data in terms of level of sensitivity, confidentiality, accessibility, and integrity (i.e., how unique and valuable the data is to the organization).
Classification schemes are not standardized but usually involve at least three broad types of data:
Data that is given the classification of public suggests that this data may be freely distributed without restriction. Even so, organizations still have a responsibility to maintain the accessibility and integrity of their public data. Company press releases, for example, are usually classified as public. However, organizations still have a responsibility to ensure that press releases are easily and reliably accessible by their intended audiences and that public data is stored and transmitted using systems that ensure the data’s integrity. For example, a press release shouldn’t be stored in a shared folder that can be modified by every employee in an organization.
Sensitive data, sometimes called “internal” or “need-to-know,” typically includes data and information that are essential for day-to-day operations, but for which the unauthorized release or modification would not cause irreparable harm to an organization. Internal memos, working documents, and most email communications are typically classified as sensitive.
In order to simplify policy compliance and ease-of-use, many organizations classify the day-to-day outputs of their enterprise resource planning (ERP) systems (such as SAP, Workday, PeopleSoft, and other finance and HR systems) as sensitive. Outputs from these systems, including dashboards, reports, and spreadsheets, usually don’t include personally-identifiable information, account numbers, or social security numbers -- instead, they include aggregated and summarized data.
Other examples of sensitive data and information include sales projections, department-level strategic plans, or departmental budgets. All of these examples are important for organizations to conduct day-to-day operations, yet if a particular report, memo, or spreadsheet were to become publicly-accessible, or the files were deleted accidentally, the organization could quickly recover without significant expense or difficulty.
Confidential data, sometimes referred to as “protected” or “classified,” is data that must be tightly monitored and controlled. This protection may be due to strategic, intellectual property, or trade secret concerns -- for instance, audit reports, organizational strategic plans, research and development strategies, or risk assessments may all be considered confidential. Other examples could include competitive intelligence, information security penetration test reports, or an HR skills/gap analysis -- any and every bit of data, information, and explicit knowledge that could be used by another organization or individual for competitive gain, for strategic advantage, or to target vulnerabilities.
Compliance with government regulations, industry standards, and contractual obligations will also affect data classification. For instance, Payment Card Industry Data Security Standards (PCI-DSS) are designed to regulate how organizations handle credit card transactions, and the Health Insurance Portability and Accountability Act (HIPAA) was designed to protect individuals’ privacy and the security of healthcare records in the United States. PCI-DSS standards and HIPAA both require certain types of personally-identifiable information and account details to be classified as confidential. These are just two examples of compliance and regulatory concerns organizations face; the healthcare, insurance, financial, and telecommunication industries all have additional regulatory requirements that should be considered.
Business partners and clients, through terms outlined in their contracts with the organization, may specify that certain elements of contracted work be treated as confidential as well.
In all of these cases, the responsibility for identifying and controlling confidential data falls to data owners who may delegate certain responsibilities to a data steward or a data guardian.
Authorizing Sharing: Procedures for Sharing Confidential Data
A good data classification policy will stipulate that the sharing of confidential data with individuals outside of the organization must be expressly authorized in writing by the data owner. In most cases, this extends to internal sharing as well -- it is good practice to require authorization in writing for confidential data to be shared with staff outside of a particular department or work group. Confidential data should be shared based on the principles of least-privilege -- only those with a business need should be granted access to confidential data.
Since data guardians -- such as system or database administrators -- are usually the first people to be approached with requests for access to data, it is critical that procedures are established and followed so that data owners are not bypassed in the approval process and data guardians’ roles are clearly identified.
In Part Three, we'll consider the protections which are appropriate for each class of data.