The Federal Financial Institutions Examination Council (FFIEC) guidelines state that data classification must be an element of an enterprise's risk assessment process. Why does the FFIEC mandate data classification? Essentially to differentiate low-value from high-value information, and to mandate the correct security controls for each. A high-value data point obviously requires more stringent protection mechanisms.
While the FFIEC calls this process data flow mapping, we in security normally would refer to it as the process of classifying data based on corporate business sensitivity. Essentially the importance of information to the business controls its classification.
In a nutshell, the data classification process should include:
- Inventory of hardware and software assets
- Network topology
- Business process and data flow maps
- Mapping technology operations to corporate strategic objectives
Notice how items two and three deal specifically with the business and security's role in supporting that business.
So how do we assess the business processes and make the leap to classifying a document? This is the journey we are about to undertake.
First it is essential that you understand your business, be it semiconductors, cars or pharmaceuticals. In a classification project, this step begins at the project's earliest point. Ideally, learning the business and how information security acts as a business enabler should be a natural part of the security professional's day-to-day responsibilities and long-term career development process.
Next, go to the business unit heads in your company and ask for their help in finding their most important intellectual property (IP) assets. Once you find those assets, evaluate the business processes that create them. Develop a simple flow diagram of the creation, distribution and storage of those assets. Congratulations; you just created a data flow diagram, and from here you can move toward classification.
Key elements of data classification
So what is data classification? This seems like a reasonable question, and yet it depends on a number of other factors. The first of these involves determing who has access to the data and defining the roles of people who can access said data. For instance, a merger and aquisition document is of high strategic value to a company, and thus data access rules should ensure that only a small handful of executives can view the document. A network diagram is seen by hundreds of folks and would likely be considered proprietary information, but with very few controls. Some documents may have intrinsic monetary value, such as a research document containing a new breakthrough discovery. Many people may have access to it, but it has financial worth due to its sales potential. Once these access roles are defined, this in turn guides you to how the data is secured.
The next component of classification is the length of time for which the data is retained. Data retention policy is based on the industry in which the enterprise operates, its associated regulations and legal requirements. Related to retention is destruction of the data when it is no longer needed, and the destruction methods used to dispose of the data. Some companies have adopted a default policy of destroying all paper and electronic media, including hard drives. This policy is based on associated costs, data sensitivity, destruction vendor availability and a business risk profile.
It's also important to determine whether data needs encryption during the classification process. Data owners must decide whether their data needs encryption, either for IP protection needs or to meet regulatory requirements, such as HIPAA or the PCI Data Security Standard.
Related to data protection is data use. This aspect of data classification defines whether data is for selected internal use, broad internal use, or can be made public.
Defining data classifications
Another key element of the data classification process is defining your various classification levels. There are no firm rules about the titles and types of classifications. However, the classifications should be clear enough so it is easy to decide how to classify the data once the process is underway. Many organizations use a classic military model, such as "confidential," "secret" and "top secret." Others are adding classifications specifically for privacy data.
Some companies define data by business process, restricting access only to those who participate in the business process. Think of an "eyes only" style of classification. For example, a research division may restrict information to one group within the division, classifying it as the New Molecule Group classification. While this creates a greater volume of classifications, it is more business process-specific. There is technology available today that allows for the automatic classification of information based on a business process-style classification system, as well as a military-style system.
Who decides what?
Most organizations' policies stipulate that the author or creator of the content is responsible for deciding the correct classification of that content. The corporate data classification policy may provide guidance, but the final determination for the classification is the data owner's responsibility. The data owner is best qualified to make this decision because he or she has the most knowledge about the use of the data and its value to the organization.
Also, organizations should ensure that each data repository has a supervising owner. This supervising owner is typically a director, or at least a department head, which has a vested interest in making sure the data is accurately and properly secured. The supervising owner should understand the importance and value of the information to the business, as well as the ramifications of leakage of that data; thus there may be several supervising owners within an enterprise.
However, getting supervising owners to accept responsibility for data is sometimes difficult without upper management's involvement in conducting the data classification initiative. Having the information security group appoint supervising owners without upper management buy-in is rarely successful. Given today's more stringent regulatory environment, this has become an easier task in most companies.
Data classification is a time-consuming process requiring many steps and marked business and legal implications. It all begins with determining the classification policy, and then mapping your business process to your data. Once performed, the correct classification is decided on by the author or owner the data. How long the data is kept, how it's destroyed and by what means are all determined by the policy.
Because of these complexities, automated data classification is an expanding subindustry within the information security field. This relieves the burden of touching each file manually, but still requires an intimate knowledge of the business. Thus we end where we began: security professional must know thy business.
About the author:
Tom Bowers, managing director of security think tank and industry analyst firm Security Constructs, holds the CISSP, PMP and Certified Ethical Hacker certifications, and is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers serves as the president of the 600-member Philadelphia chapter of Infragard, is a technical editor of Information Security magazine, and speaks regularly at events like Information Security Decisions.
This was first published in May 2007