Show
Learn about the different types of classification and how to effectively classify your data in Data Protection 101, our series on the fundamentals of data security. Data classification is broadly defined as the process of organizing data by relevant categories so that it may be used and protected more efficiently. On a basic level, the classification process makes data easier to locate and retrieve. Data classification is of particular importance when it comes to risk management, compliance, and data security. Data classification involves tagging data to make it easily searchable and trackable. It also eliminates multiple duplications of data, which can reduce storage and backup costs while speeding up the search process. Though the classification process may sound highly technical, it is a topic that should be understood by your organization’s leadership. Reasons for Data ClassificationData classification has improved significantly over time. Today, the technology is used for a variety of purposes, often in support of data security initiatives. But data may be classified for a number of reasons, including ease of access, maintaining regulatory compliance, and to meet various other business or personal objectives. In some cases, data classification is a regulatory requirement, as data must be searchable and retrievable within specified timeframes. For the purposes of data security, data classification is a useful tactic that facilitates proper security responses based on the type of data being retrieved, transmitted, or copied. Types of Data ClassificationData classification often involves a multitude of tags and labels that define the type of data, its confidentiality, and its integrity. Availability may also be taken into consideration in data classification processes. Data’s level of sensitivity is often classified based on varying levels of importance or confidentiality, which then correlates to the security measures put in place to protect each classification level. There are three main types of data classification that are considered industry standards:
Content-, context-, and user-based approaches can be both right or wrong depending on the business need and data type. Determining Data RiskIn addition to the types of classification, it’s wise for an organization to determine the relative risk associated with the types of data, how that data is handled and where it is stored/sent (endpoints). A common practice is to separate data and systems into three levels of risk
Note: Some also use a more granular scale, adding “severe” risk or other categories to help further differentiate data. Using a Data Classification MatrixCreating and labeling data may be easy for some organizations. If there aren’t a large number of data types or perhaps your business has fewer transactions, determining the risk of data and your systems is likely less difficult. That said, many organizations dealing with high volume or multiple types of data are likely to need a comprehensive way of determining their risk. For this, many use a “data classification matrix.” Creating a matrix rating data and/or systems from how likely they are to be compromised and how sensitive that data is will help you quickly determine how to better classify and protect all things sensitive. An Example of Data ClassificationAn organization may classify data as Restricted, Private or Public. In this instance, public data represents the least-sensitive data with the lowest security requirements, while restricted data is in the highest security classification and represents the most sensitive data. This type of data classification is often the starting point for many enterprises, followed by additional identification and tagging procedures that label data based on its relevance to the enterprise, quality, and other classifications. The most successful data classification processes employ follow-up processes and frameworks to keep sensitive data where it belongs. The Data Classification ProcessData classification can be a complex and cumbersome process. Automated systems can help streamline the process, but an enterprise must determine the categories and criteria that will be used to classify data, understand and define its objectives, outline the roles and responsibilities of employees in maintaining proper data classification protocols, and implement security standards that correspond with data categories and tags. When done correctly, this process will provide employees and third parties involved in the storage, transmission, or retrieval of data with an operational framework. The video clip below gives techniques for classifying sensitive data and is from our webinar, How Classification Defines Your Data Security Strategy, which is presented by Garrett Bekker, Senior Analyst, Information Security at 451 Research. You can watch the full webinar here. Policies and procedures should be well-defined, considerate of the security requirements and confidentiality of data types, and straightforward enough that they are easy for employees promoting compliance to interpret. For instance, each category should include information about the types of data included in the classification, security considerations with rules for retrieving, transmitting, and storing data, and potential risks associated with a breach of security policies. GDPR Data ClassificationWith the General Data Protection Regulation (GDPR) in effect, data classification is more imperative than ever for companies that store, transfer, or process data pertaining to EU citizens. It is crucial for these companies to classify data so that anything covered by the GDPR is easily identifiable and the appropriate security precautions can be taken. Additionally, GDPR provides elevated protection for certain categories of personal data. For instance, GDPR explicitly prohibits the processing of data related to racial or ethnic origin, political opinions, and religious or philosophical beliefs. Classifying such data accordingly can significantly reduce the risk of compliance issues. Steps for Effective Data Classification
There are more benefits to data classification than simply making data easier to find. Data classification is necessary to enable modern enterprises to make sense of the vast amounts of data available at any given moment. Data classification provides a clear picture of all data within an organization’s control and an understanding of where data is stored, how to easily access it, and the best way to protect it from potential security risks. Once implemented, data classification provides an organized framework that facilitates more adequate data protection measures and promotes employee compliance with security policies. Additional Data Classification Resources
Data classification is a vital component of any information security and compliance program, especially if your organization stores large volumes of data. It provides a solid foundation for your data security strategy by helping you understand where you store sensitive and regulated data, both on premises and in the cloud. Moreover, data classification improves user productivity and decision-making, and reduces storage and maintenance costs by enabling you to eliminate unneeded data. In this article you will learn what benefits data classification offers, how to implement it and how to choose the right software solution. Key Data Classification Terms and DefinitionsData classification is the process of organizing structured and unstructured data into defined categories that represent different types of data. Standard classifications used in data categorization include:
Sensitive data is a general term representing data restricted to use by specific people or groups. Sensitive and confidential data are often used interchangeably. Examples of sensitive data include intellectual property and trade secrets. Data reclassification is re-categorization of data to apply appropriate updates, for example, based on changes to legal or contractual obligations, data usage or value, or new or revised regulatory mandates. Data tagging or labeling adds metadata to files indicating the classification results. Purpose of Data ClassificationData classification helps you understand what types of data you store and where that data is located. This intelligence:
Benefits of Data ClassificationMore broadly, data classification helps organizations improve data security and ensure regulatory compliance. Data SecurityClassification is an effective way to protect your valuable data. By identifying the types of data you store and pinpointing where sensitive data resides, you are well positioned to:
Regulatory ComplianceCompliance regulations require organizations to protect specific data, such as cardholder information (PCI DSS) or the personal data of EU residents (GDPR). Data classification enables you to identify the data subject to particular regulations so you can apply the required controls and pass audits. Here’s how data classification can help you meet common compliance standards:
Types of Data Classification
Examples of Data Classification CategoriesExample of a Basic Classification SchemeThe simplest scheme is three-level classification:
Example of a Government Classification SchemeGovernment agencies often use three levels of sensitivity but give them different labels than listed above: top secret, secret and public. For more complex data structures, more levels may be added. Here is a five-level strategy with examples:
Example of Commercial ClassificationTypically, organizations that store and process commercial data use four levels to classify data: three confidential levels and one public level. Some expand that to a five-level system with the following levels:
Data Classification ProcessEffective Information Classification in Five Steps
Building an Effective Data Classification PolicyA data classification policy is a document that includes a classification framework, a list of responsibilities for identifying sensitive data, and descriptions of the various data classification levels. A good classification policy:
How to Select a Data Classification SolutionLook for these features:
FAQWhat is the purpose of data classification? Data classification sorts data into categories based on its value and sensitivity. Why is data classification important? What benefits does it offer? Data classification helps you prioritize your data protection efforts to improve data security and regulatory compliance. It also improves user productivity and decision-making, and reduces costs by enabling you to eliminate unneeded data. What are common data classification levels? Data is often classified as public, confidential, sensitive or personal. What are the data classification types? Classification can be content-based, context-based or user-based (manual). What software should I use for data classification? Look for data classification software, like that offered by Netwrix, which:
Who is responsible for data classification in an organization? Organizations typically designate a Security and Risk Manager, a Data Protection Manager, Compliance Committee or a similar entity. |