We're interested in implementing a data-classification program to lower our compliance costs. We'd like to establish...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
different sets of controls for different data types. However, we're struggling to define our data-classification levels. How do you recommend structuring the data-classification scheme for a Fortune-500-type company?
Ask the Expert!
Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)
In my experience, the most critical factor to the success of an information classification program is simplicity. If your program is difficult to understand or the categories are ill-defined, people simply won't use it. The bookshelves of security professionals around the world are littered with binders containing information classification plans that never saw practical implementation.
An approach that I've seen used many times follows a four-tier classification model that limits the very highest category to a small number of easily recognizable data elements. Here's a rough outline:
- Highly sensitive data is information requiring an extremely high level of oversight and control due to potential reputational, financial or operational impact if improperly disclosed. This should be limited to a clear list of carefully enumerated elements, such as Social Security numbers, credit card numbers and drivers' license numbers.
- Sensitive data is information intended for limited use that, if improperly disclosed, could have a serious adverse effect on the organization. This is the "you know it when you see it" category that contains information the organization considers confidential but does not meet the "highly sensitive" bar. For example, this might include plans for the development of new products that have not yet been publicly released.
- Public data, as the name implies, is information that may be freely released to the public without concern for confidentiality. This category includes information that you would publish on your website or hand out at a trade show, such as product brochures, public price lists and basic contact information fro your firm.
- Internal data includes everything else. It's information that you wouldn't freely publish on the Internet, but wouldn't really damage the company if it were accidentally released, such as your internal telephone directory or the ordering list for your supply room.
Once you define your data-classification scheme, you need to appropriately classify all of your organization's data, and then develop and implement the security standards that specify appropriate handling practices for each category.
Dig Deeper on Data Analysis and Classification
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.