What Is Data Classification and How Can It Help Protect Your Data?

With increasingly prominent data breaches worldwide, how can you best protect your organization and its data? Data classification provides that foundation, according to Ericka Chickowski, writing in Dark Reading.

What is data classification? Carnegie Mellon University defines it as:

“The classification of data based on its level of sensitivity and the impact should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.”

The University, for example, sorts data into three different levels of sensitivity: Restricted Data, which includes any data protected by state or federal privacy regulations or by confidentiality agreements; Private Data, which is not explicitly classified as Restricted or Public data; and Public Data, which is defined as that data that, if disclosed, altered, or destroyed, would pose little to no risk to the organization.

It still needs to be protected from tampering or deleting. This could include information such as press releases.

If indecisive on a classification for data collections, it is prudent to apply the most restrictive classification. Doug Landoll, chief executive officer of Austin-based Assero Security, says:

“In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected. […] An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale.”

Erik Bataller, a senior consultant with information security consultancy Neohapsis, in a series on data classification, contends everyone within the organization needs to be involved in the classification process for it to be effective:

“The business, not IT, owns organizational data, so establish a dialogue with the executives and staff responsible for relevant systems. They need to be the enforcers across their groups.”

In some industries or instances, database administrators may need input from other departments. This may include involvement of the legal, compliance, and human resources departments.

The classification process helps organization value their information by assigning it an importance whether it is inside the database or outside it. All data needs to be properly classified in a manner that accounts for any government or regulatory mandates for management. It is not a one-off project, but one requiring regular oversight on, perhaps, a quarterly basis.

Some data classification initiatives can be extensive. A pharmacy, needing to protect information accessible through its website to meet regulatory requirements, dealt with roughly eight billion records across 180 applications and in its allied databases, including the organization’s test and development databases, explained Venkat Lakshminarasimha, global big data integration specialist with Informatica, in a workshop presentation at FutureGov Singapore Forum 2013.

Additional ideas and information about data classification can be found in “Standards for Security Categorization of Federal Information and Information Systems,” published by the National Institute of Standards and Technology.

Source: “Developing Data Classification For Stronger Database Security,” Dark Reading, 04/17/13
Source: “Data Classification Tips And Technologies,” Network Computing, 03/29/12
Source: “Integrating, Governing and Managing Big Data,” FutureGov, 04/25/13