Select Page
This Is How All CISOs Should Build a Business Case

Data Classification – What It Is, Types & Best Practices

Darrell Jones

Data classification can help secure your data for compliance and company policy. But where should you even begin in the classification process?

To start, let’s go through the main data classification types. The four main classifications for data are:

  1. restricted
  2. confidential
  3. internal
  4. public

However, these types may vary depending on organization. Each of these levels determines who has access to the data and how long the data must be retained.

This post, the first of three, will help organizations create a data classification program, including program prerequisites and task member responsibilities to ensure proper governance. I will detail the development process in a future post.

Conversations and meetings around what data classification is and how to define it in organizations have occurred for the past two decades. It is the classic “Coke can” experiment; a group of people sit around a Coke can and describe what they see, without saying “it’s a Coke can.” Everyone will have a unique view and no two descriptions will be the same.

Data classification is difficult, boring, and unglorified but…

Now imagine the same exercise but replace the Coke can with your organization’s data. Data classification becomes extremely complicated for an organization with different business functions, deliverables, and different needs. It can make you want to look for other things to do with your day. Data classification is difficult, boring, and unglorified. You will, however, need to embrace it to create an effective cybersecurity program.

Any article on data classification will tell you it must factor into an organization’s information security and compliance program. This generic statement will garner universal acceptance with your management team but data classification requires a lot of heavy lifting. Data classification desires, needs, and even definitions vary between groups in an organization.

Data classification typically includes a three- or four-layer system akin to the below:Data classification typically includes a three- or four-layer system

If you are new to data classification begin with 3-Level system

I recommend organizations new to data classification begin with the 3-level system as these levels and their corresponding actions and controls can be challenging to define. The three-level system considers all internal data confidential so you can clearly communicate your goals across the business, including locations, processes, and applications. First, create the processes and procedures needed to support confidential data. You can identify the limited amount of Public and Highly Confidential data later through interviews and technical discovery.

Before you Start Your Data Classification Program

A data classification program cannot be created and deployed in a vacuum. The following cybersecurity program components must be in place before any data classification planning can begin.

  • Asset Management – Owned by IT. The organization needs to know what systems contain the highly sensitive, Confidential or Highly Confidential data. A data classification program without an effective asset management process already in place won’t work; you won’t get past the drawing board stage.
  • Incident Response (IR) – Owned by Cybersecurity. You must have a plan and process in place in the event Confidential or Highly Confidential data has been breached. Organizations with immature cyber programs often struggle with Incident Response as data breaches containing different data types require different response levels. These response levels must be established prior to starting a data classification program.
  • Regulated Data Sets – Owned by Compliance. Most data is regulated (e.g., financial data, intellectual property, etc.). You must determine what regulated data you have before you begin a data classification program. These data sets, once defined, will also help you establish your DLP rules and location search.
  • Privacy Data Sets – Owned by Privacy. Much like the regulated data sets, privacy data needs to be pre-determined. Don’t cut corners here. A blanket statement like “Well, it’s just personal identifiable information” will spell disaster. Your Cyber and Privacy teams must align on privacy data definitions and rules including:
    • Will the organization classify Customer IDs as personal identifiable information (PII)?
    • Are any PII data types more sensitive than others?
    • Do any regulations require data to be contained to any specific location or jurisdiction?

Organizations must demonstrate compliance with several additional privacy requirements to ensure a successful data classification program.

Create a Data Classification Taskforce

A highly effective data classification program will have input from numerous business verticals.

You will find some departments more cooperative than others. You will for example not need to convince IT to participate. Virtually any CIO will want a mature data classification program as it allows IT departments to automatically prioritize the systems, business processes, and applications they provide and maintain.

Get all the teams on the same page

I recommend you start with the Regulators. They usually understand the program’s importance and also know their data sets very well. Next, engage with Risk and Legal. They too know their data but will probably require some training on their role and their deliverables. You can work much more efficiently and effectively once all the teams are on the same page. Make them a part of the program development process going forward. Define the data classifications together. Co-develop the training materials required to inform the business units about the program. Then communicate (rather than dictate) procedural changes in handling certain data types to ensure compliance with the new classification program.

The Taskforce: Deliverable, Role, MotivationThe Taskforce: Deliverable, Role, Motivation

Data classification programs frequently fail in their implementation unless each group contributes something to make the program successful.

What’s Next

In my next post, we will take a deep dive into the classification schema and best practices for defining data.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This