It’s hard to find an organization that doesn’t have large amounts of data in its custody that its responsible for protecting. Despite this, data classification is still a mystery for a lot of companies. Data classification is an important part of data governance. This article covers some of the basics to help organizations better understand the process and build a data classification matrix.
Data classification model: structure and common errors
The first step in the process of implementing a good data classification model is to form a data classification scheme and establish the rules that regulate and ultimately protect that data. Despite the fact that this document is extremely important in the grand data classification scheme, leaving out critical pieces will render it in inadequate. Here’s 4 common errors to avoid:
- Not outlining responsibilities for all the parties that are involved;
- Failure to convince the employees that the topic of data classification is important;
- The model itself is written in a complex language that’s hard to understand, with a lot of technical terms;
- The goals that are outlined in the document are unachievable.
The very core of a data classification scheme consists of three main things: a responsibility list, a framework and the description of various data classification levels. It’s also recommended to not convolute the document with too much extra detail, like how to handle the data and what to do in a breach. These topics should be separate documents to ensure users don’t get confused.
A good data classification scheme that lays the framework for data classification should be simple, straightforward and relatively short. A key fact to remember is that these should be written in layman’s terms as much as possible and not like a legal document. It’s also recommended to include contact data of key contacts in case of emergencies.
Creating a data classification scheme
There are a lot of different ideas and approaches to forming the data classification scheme. Here is one example that includes seven relatively simple steps to ensure that you’re meeting the data classification scheme:
- Consult with executives. This process requires the expertise of someone who realizes the importance of forming a correct data classification framework, with all of the correct security points and possible risks.
- Define your goal. It’s important to realize what you’re aiming to get from implementing a good data classification model. You may want to correctly map the data protection steps that your organization direly needs, you may be aiming to mitigate the risks of a data breach or an unauthorized access, or you might just be trying to reach compliance with various regulatory laws like GDPR – it can be one or several, there’s no limit.
- Define the scope. It’s also important to understand the extent of the data you’re planning to regulate. Nowadays the data can be almost anywhere, from electronic documents and databases to emails, storage media, paper documents, and so on.
- Determine responsibilities. A good data classification model should be able to say who’s responsible for data classification protocols no matter the data piece. The roles of data owners, data stewards, data users and employees also should be included.
- Outline different data sensitivity levels. This part is all about defining how many sensitivity levels you would have, what are the examples of data that goes into each of them, and so on. There’s no standard data classification matrix for this part, since there’s a lot of variation when it comes to individual organizations and businesses. But, there is one important recommendation – Do not overcomplicate the sensitivity levels. The standard is to use three or four different levels, that you should be able to classify most data under. Having too many complicated levels increases the likelihood that users will get confused.
- Create handling guidelines. The next step in your data classification framework is to separately develop a set of actions that needs to be taken to protect each of the different sensitivity/classification levels. The level of restriction and data protection depends on a lot of factors, such as the damage it would cause if it is impacted by a data breach or any other disaster.
- Keep reviewing and improving. Data classification is not a one-time process, but rather a continuous effort that you need to take the time review regularly and make improvements to if needed.
Data classification matrix
A data classification matrix is helpful tool in building out a program. There are a lot of different templates for building a data classification matrix. Here’s a basic example describing a data classification scheme with three security groups – public data, sensitive data and confidential data:
Public data | Sensitive data | Confidential data | |
Risk degree | Low | Medium | High |
Description | Data that can be either freely disclosed to the public or has does not have an impact on the company if it is published. | Information of medium importance, typically created for internal use only, not meant for public disclosure. | Highly sensitive data concerning either customers or corporate individuals, absolutely not meant for public disclosure. |
Access rights | Low or nonexistent limitations | Moderate access, mostly available to people on a need-to-know basis (in case someone needs this data to do their job properly) | Highly selective case-by-case approved access under an NDA |
Potential impact | The negative impact from this data type getting into the wrong hands or being published publicly ranges from nonexistent to inconvenient at most. | The negative impact from this data type getting into the wrong hands or being published is on a moderate rate, meaning concerning, but not business-critical. | The negative impact from this data type getting into the wrong hands or being published is highly destructive, capable of creating both financial and lawful problems to the company. |
Summary
Creating a qualified data classification scheme is a significant step in setting up your data classification process. You can also create a detailed data classification matrix to draw a clear line between different security permissions for yourself and your employees. All of this will help to make the sometimes complicated process of data classification much easier.