The Whats and Whys of Data Classification for Risk Management

Table of Contents:


    Data classification is often considered a technical topic, but is an essential practice that should be understood by any organization’s leadership. That’s because, without proper data classification, it is more difficult to organize and protect important data.

    What Is Data Classification?

    To put it simply, data classification is a way in which organizations can sort and categorize data. By doing so, it should become easier to search and manage. Data classification is important when discussing risk management, security, and compliance with various regulations.

    As an example, some organizations use three classifications for their data:

    1. public,
    2. private, and
    3. restricted.

    In this instance, any data marked “public” would be the least sensitive information and, therefore, would have the least security to access. On the other hand, any data marked “restricted” would be the most sensitive and have the most security for access.

    This is a good starting point for most enterprises, although many organizations may find the need to further restrict and separate data. Theoretically, an organization can make as many classification types as they need, although 3-5 usually do the trick.

    Examples of data classification

    Here are popular classification schemes used by organizations:

    1. PII: Non-sensitive PII, Sensitive PII, Non PII
    2. GDPR (EU personal data protection): Special category personal data, personal data, non-personal data
    3. HIPAA (health data): Critical, Restricted, Public
    4. US Government: Top Secret, Secret, Confidential, Sensitive But Unclassified (SBU), Unclassified
    5. NATO: Cosmic Top Secret, NATO Secret, NATO Confidential, NATO Restricted, NATO Unclassified (copyright), Non-sensitive information releasable to the public
    6. ISO 27001: Confidential, Restricted, Internal use, Public
    7. Highly sensitive/Restricted, Sensitive/Confidential, Internal, Public
    8. Restricted, High, Moderate, and Low
    9. Restricted. Sensitive, Open
    10. Sensitive, Confidential, Private, Proprietary, Public

    Why Does Data Classification Matter?

    Failing to classify data can lead to many organizational difficulties. This is because unclassified data isn’t properly organized, which means there is no way to ensure that data is actually being safeguarded as it needs to be. The result is data that sometimes may be insecure, and other times may be too secure. Being as secure as it needs to be is always the aim, but being too secure can hinder day-to-day processes and become more difficult to search, share amongst different applications and databases, and ultimately draw information out of.

    For all of these reasons, data classification is a very important process that every organization, regardless of their size, should utilize. Data classification is rapidly becoming the new standard in information security and there is no instance when it wouldn’t be helpful in an organization where at least some data needs security.

    The Benefits of Data Classification

    The countless benefits of data classification include the following.

    • Consistency and Improved Understanding: Everyone will be on the same page about what data is sensitive and what data isn’t.
    • Better Security for What Matters: Sensitive data will be more secure, reducing the risk of theft or leaks.
    • Better Access for What’s Needed: Non-sensitive data will be more easily accessible, reducing the red tape and steps required to access data for organizational purposes.
    • Improved Data Protection All Around: By organizing data into different categories, your organization can know just how much protection is needed for each set of data.
    • Regulatory Compliance: Due to data classification adoption, you will be aware of where data of various levels of sensitivity is stored and how it is managed. With regulations such as GDPR that focus on the use and management of personal data (and not only), data classification is not only important, but mandatory.
    • Better Allocation of Resources: Thanks to data classification, you won’t waste any more time or money over-protective non-sensitive data or risking the loss of sensitive data.

    There are other benefits for risk management, but one thing is certain: it is well worth exploring data classification further to see how it can help your organization.

    Types of Data Classification

    There are many types of data classification, three of which are considered industry standard because they are so common. These three types are described as follows.

    • Content-Based Classification: This type of classification inspects files, and data stores, and interprets the data within in search of sensitive information. Any file/table/column that has sensitive information will be tagged with one category for special security measures while other files will be identified as another.
    • Context-Based Classification: This type of classification uses variables like creator, application, or location to determine whether or not a file/ table has sensitive information within it. Again, any files/tables/columns that are determined to have sensitive information will be put in one category while everything else is categorized differently.
    • User-Based Classification: This is the least popular, but most accurate form of classification because it requires a user to manually inspect the data and determine what goes where. Still, mistakes can happen because this system relies on a user to employ certain knowledge and edit, review, and flag data at their discretion.

    Most organizations use a mixture of data classification techniques in order to ensure their data is classified in an accurate and secure way. For instance, you might begin by using context-based classification to organize your data, and then follow up with user-based classification to ensure nothing was missed.

    Regardless of the method you will utilize, you need tools such as a passive data dictionary, a data catalog, and a business glossary in order to:

    • Have the ability to document and tag identified data and information with all necessary metadata
    • Share metadata amongst programmers/ developers, and systems
    • Search and find data in its specific classification categories
    • Automate processes around data risk management

    The end goal is better security for your data and information.

    Misconceptions About Data Classification

    There are some common misconceptions about data classification, including the following.

    • It takes too long. Many organizations hear data classification and immediately assume that it will be a difficult, time-consuming process that brings little value. While the initial classification process does take time, data classification is an essential process that every organization should work through. The increased visibility and security that results from data classification gives organizations improved abilities to access and utilize their valuable data. It can also drive security improvements.
    • It is too complex. Data classification projects are often bogged down by overly complex schemes. However, classification should be kept as simple as possible because complicating the matter generally only adds to the time investment and does not improve the end quality in any way. Starting with just three categories is really all it takes to see vast improvements and, in many cases, achieve regulatory compliance.
    • It’s another layer of bureaucracy. Data classification is a simpler way to protect your data as it allows you to understand what data is sensitive and what data isn’t. In this sense, it is an enabler that allows your organization to allocate resources more appropriately. Therefore, when done correctly, data classification does not complicate or slow things down--it simplifies and speeds things up.

    Regardless of the size of your organization, the number of databases and systems, or the regulatory bodies your data needs to comply with, make sure you’re smartly investing in data classification. Feeling overwhelmed? Start simple! It will only take a few data classification exercises to already begin to see how you can better protect your organization’s data while improving efficiency all around.

    George Firican
    George Firican

    Award winning Data Governance & Business Intelligence leader, director of data governance and BI at the University of British Columbia, public speaker, founder of LightsOnData blog.

    0
    There are no comments. Click here to write the first comment.