We're interested in implementing a data-classification program to lower our compliance costs. We'd like to establish
different sets of controls for different data types. However, we're struggling to define our data-classification levels. How do you recommend structuring the data-classification scheme for a Fortune-500-type company?
Ask the Expert!
Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)
In my experience, the most critical factor to the success of an information classification program is simplicity. If your program is difficult to understand or the categories are ill-defined, people simply won't use it. The bookshelves of security professionals around the world are littered with binders containing information classification plans that never saw practical implementation.
An approach that I've seen used many times follows a four-tier classification model that limits the very highest category to a small number of easily recognizable data elements. Here's a rough outline:
- Highly sensitive data is information requiring an extremely high level of oversight and control due to potential reputational, financial or operational impact if improperly disclosed. This should be limited to a clear list of carefully enumerated elements, such as Social Security numbers, credit card numbers and drivers' license numbers.
- Sensitive data is information intended for limited use that, if improperly disclosed, could have a serious adverse effect on the organization. This is the "you know it when you see it" category that contains information the organization considers confidential but does not meet the "highly sensitive" bar. For example, this might include plans for the development of new products that have not yet been publicly released.
- Public data, as the name implies, is information that may be freely released to the public without concern for confidentiality. This category includes information that you would publish on your website or hand out at a trade show, such as product brochures, public price lists and basic contact information fro your firm.
- Internal data includes everything else. It's information that you wouldn't freely publish on the Internet, but wouldn't really damage the company if it were accidentally released, such as your internal telephone directory or the ordering list for your supply room.
Once you define your data-classification scheme, you need to appropriately classify all of your organization's data, and then develop and implement the security standards that specify appropriate handling practices for each category.
Dig deeper on Data Analysis and Classification
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.