Classifying data is an essential component of corporate cybersecurity and compliance. Knowing the difference between a highly sensitive document that contains customer financial information and a less sensitive document that merely lists product offerings can make a big difference in how a company applies security and data organization.
While improving data risk mitigation is one of the most important reasons for classification, other benefits include improved governance and compliance, increased operational efficiency, and better analytics capabilities.
Yet despite these benefits, more than half of all data within a typical organization goes unclassified or untagged, according to recent research.
Fixing that issue starts with developing a data classification plan, a document that includes a data classification framework, a list of responsibilities for identifying data, and descriptions of the various classification levels.
The process is not complex, consisting of three basic steps. But it does require understanding all the data within a company and how it is created, as well as working with senior leadership and key stakeholders throughout the company. For the data discovery portion, solutions such as Qohash’s Qostodian can help.
Step 1: Define Classification Objectives
The first step is establishing the reasons for classifying a company’s data. Will classification be used solely for risk mitigation, or will it encompass other use cases such as compliance and improving operational efficiency?
From these objectives will flow additional considerations such as defining the specific regulations that apply to the company, and the classification needs for analytics or operational efficiencies.
In terms of risk mitigation, most security teams share common goals when it comes to security. The U.S. National Institute of Standards and Technology (NIST) has defined a framework that makes a good starting point for establishing security objectives for classification.
The top three most common security objectives according to the NIST include:
1. Confidentiality. Preserving authorized restrictions on information access and disclosure, which includes protecting personal privacy and proprietary information.
2. Integrity. Guarding against improper information modification or destruction, which includes ensuring information’s authority and authenticity.
3. Availability. Ensuring timely and reliable access to and use of information.
Source: Federal Information Processing Standards (FIPS) publication 199,
National Institute of Standards and Technology (NIST).
Step 2: Categorize Data Types
Once objectives have been defined, the second step is determining what kinds of data exist and will be created within the business, as well as where the data for each type is typically located.
Each type of data should be defined and categorized so classification can be applied in the next step.
One common data type is personally identifiable information (PII). A business might define the PII data type category as follows, for example:
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:
• Social security number
• State-issued driver’s license number
• State-issued identification card number
• Financial account number in combination with a security code, access code or password that would permit access to the account
As part of this process, businesses also should define which data is public, which is proprietary, and which data is regulated, along with where the data typically lives. Does the data live in a database on a company server, in a spreadsheet on a public cloud service such as Dropbox, in email, etc.?
Step 3: Define Classification Levels
With both objectives and data types now defined, the final step in creating a data classification plan is specifying the classification schema that the business will use, and which data type categories will map to each classification.
For data sensitivity classification, there are many ways that organizations can define levels of sensitivity. The U.S. government has seven levels of classification, for instance, including Restricted Data, Top Secret, and Controlled Unclassified Information, among others.
Each organization will want to develop a classification scheme that best meets its needs, but generally most corporate data classification schemes include a minimum four high-level sensitivity categories:
1.Restricted. The highest level of sensitive data. This includes the data that, if compromised, could put a firm at risk for financial, legal, regulatory or reputational damage.
2. Confidential. Exposed data would inflict a moderate risk to the organization or one of its employees. Unintentional access would bring consequences greater than short-term embarrassment, and could possibly have a negative impact on company operations or long-term reputation.
3. Internal. Data that is not meant for the public, but has a relatively low impact if exposed. The company wouldn’t want this data leaked, and it might cause some short-term embarrassment or reputational damage. But access to this data wouldn’t have regulatory or significant lasting repercussions.
4. Public. Data that anyone can see, and is not of a personal nature. Exposure of this data would result in little or no risk, and doesn’t need encryption or significant protection.
While these four basic classifications have been in use for decades, privacy regulations and more advanced data management systems have led many organizations to adopt three additional sub-layers. These include:
• Data Processing layer (consent). Many data privacy regulations now require an individual’s consent for how their private data can be used by an organization.
• Purpose layer (access). Some privacy regulations, most notably Europe’s GDPR, require organizations to specify the purpose for which specific data was collected.
• Privacy layer (compliance). Some privacy regulations, including California’s CCPA, make additional demands on organizations that keep an individual’s data. To ensure compliance, organizations therefore often add a specific and advanced set of data classifications around privacy.
Once a data classification plan is in place, the next step is implementing it through data discovery and automated classification. For more on that part of the process, see our blog post, 5 Steps to Implement Data Sensitivity Classification.