We're interested in implementing a data-classification program to lower our compliance costs. We'd like to establish...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
different sets of controls for different data types. However, we're struggling to define our data-classification levels. How do you recommend structuring the data-classification scheme for a Fortune-500-type company?
Ask the Expert!
Have questions about regulatory compliance? Send them via email today! (All questions are anonymous.)
In my experience, the most critical factor to the success of an information classification program is simplicity. If your program is difficult to understand or the categories are ill-defined, people simply won't use it. The bookshelves of security professionals around the world are littered with binders containing information classification plans that never saw practical implementation.
An approach that I've seen used many times follows a four-tier classification model that limits the very highest category to a small number of easily recognizable data elements. Here's a rough outline:
- Highly sensitive data is information requiring an extremely high level of oversight and control due to potential reputational, financial or operational impact if improperly disclosed. This should be limited to a clear list of carefully enumerated elements, such as Social Security numbers, credit card numbers and drivers' license numbers.
- Sensitive data is information intended for limited use that, if improperly disclosed, could have a serious adverse effect on the organization. This is the "you know it when you see it" category that contains information the organization considers confidential but does not meet the "highly sensitive" bar. For example, this might include plans for the development of new products that have not yet been publicly released.
- Public data, as the name implies, is information that may be freely released to the public without concern for confidentiality. This category includes information that you would publish on your website or hand out at a trade show, such as product brochures, public price lists and basic contact information fro your firm.
- Internal data includes everything else. It's information that you wouldn't freely publish on the Internet, but wouldn't really damage the company if it were accidentally released, such as your internal telephone directory or the ordering list for your supply room.
Once you define your data-classification scheme, you need to appropriately classify all of your organization's data, and then develop and implement the security standards that specify appropriate handling practices for each category.
Related Q&A from Mike Chapple
Web application firewalls may be a way to better security, but organizations need to be aware of the compliance implications of WAFs.continue reading
An SEC report shows over three-quarters of financial institutions were subject to at least one cybersecurity attack. Expert Mike Chapple looks at ...continue reading
The Data Accountability and Trust Act is likely to become a law this year. Expert Mike Chapple advises organizations on how to prepare.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.