Organizations are overwhelmed with data, from e-mails to confidential documents. With increased reliance on cloud services like Office 365, data is no longer locked behind the walls of your organization. Today’s organizations and the nature of connecting users, business partners, and suppliers generate a tremendous amount of data. How can you ensure that important data is protected, without needing to protect everything?
What is data classification?
Data classification is the process an organization follows to develop an understanding of its information assets, categorize those assets to safeguard information and comply with its information security policies, laws, regulations, and compliance obligations. This is done by applying labels to documents either manually or automatically based on predefined policies.
A typical data classification policy might define information at four levels:
- Restricted: Data that is considered most critical to the organization. Disclosure of this data could violate or have severe regulatory impact.
- Confidential: Highly sensitive corporate and customer data that if disclosed could put your organization at financial risk, loss of customer, or disruption of operations.
- Official Use: Internal data that is not meant for public disclosure. If the data is compromised, would have minimal impact but does not impact profitability or continuing operations of the business.
- Public: Data that requires no special protection and may be freely disclosed with the public.
Benefits of classifying your data
The sensitivity of data varies significantly from public information to highly confidential trade secrets. To ensure proper protection, organizations need to identify and classify data, while defining standards and policies to properly handle each type of data.
Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security. By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.
Compliance – Classifying data, adding labels, and enforcing policies helps your organization meet legal compliance and regulatory requirements.
Usage Rights – By understanding the sensitivity of the data, you can begin to understand who should or shouldn’t have access to it both inside and outside of your organization.
Awareness – data classification helps to ensure employees are more aware of the type of information they are dealing with and its value, as well as their obligations in protecting it to prevent data loss or compromise intellectual property.
End User Empowerment – Data classification brings security to the front of your organization by empowering its users. Many data leaks could be avoided if a data classification solution is in place. Adding visual labels to headers and footers helps to raise end user awareness and assist them in becoming more security focused and avoid sharing sensitive content on USB drives, via e-mail, or could services like Box or Dropbox.
Getting started with data classification requires understanding your organization’s data compliance and security needs. When you are ready to start classifying your data, keep these in mind:
- Keep the process of classifying data simple for both users and the data custodians
- Don’t try to classify everything immediately
- Work with data owners to focus first on the most business-critical, highly sensitive, critical assets and systems
Securing data is a growing challenge, but incremental steps are keys to an organized and classified data model. Data classification provides a clear picture of the data within your organization’s control and an understanding of where data is stored, how it’s most easily accessed, and how data is best protected from potential security risks.
In this post, I covered the foundation of data classification. In my next post, I’ll focus on classifying data in Office 365.