Data classification guidelines

In this article..
What is data classification?
Why is data classification required?
Classification criteria
Data classification levels
Review process

What is data classification?
The purpose of data classification is to establish a framework for classifying data based on its level of sensitivity, value and how critical it is to the organization as specified by the organization’s Information Security Policy. Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the organization should that data be disclosed, altered or destroyed without authorization.

Why is data classification required?
Depending on an organization’s requirements, there might be various reasons for classifying data. Some organizations might want to classify data so that they can be accessed quickly and efficiently. Others might be handling data that might be considered sensitive (PAN, SSN, etc.) that they may be required to protect. Classification of data will aid in determining baseline security controls for the protection of data.

Classification criteria
Most organizations classify data to comply with their requirements of Confidentiality, Integrity and Availability (CIA). Another factor that plays into this exercise is the potential impact to the organization if any of the above criteria are not met as required.

Data is typically classified according to its type such as medical, financial, personal, to name a few. These will be defined by the organizations or by regulations, policy or law.

In the case of regulations or standards, the data items that need to be classified can be obvious. For instance, Personal Health Information (PHI) or Personally Identifiable Information (PII) may be governed by the country’s laws (HIPPA, FOIPA, etc.) while cardholder information may be subject to protections specified in the Payment Card Industry Data Security Standards (PCI-DSS). In cases where the classification levels are not obvious, a classification matrix such as the one below may need to be used:

Data classification levels
Generally, data can be classified into three major levels, namely Public, Private and Restricted.

  • Public
    Data should be classified as Public when the unauthorized disclosure, alteration or destruction of the data would result in little or no impact to the organization. Examples of public data include press releases, news letters and event information. While little or no controls are required to protect the confidentiality of public data, some controls will still be required to prevent unauthorized modification or destruction of Public data.
  • Private
    Data should be classified as Private when the unauthorized disclosure, alteration or destruction of the data could result in a moderate level of impact to the organization. By default, any data that is not explicitly classified as Public or any of the other classifications of data should be treated as Private data. A reasonable level of security controls needs to be applied to Private data.
  • Restricted
    Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of the data could cause a significant level of impact to the organization. Restricted data would include data protected by privacy regulations, confidentiality agreements or industry standards. Restricted data will warrant the highest level of security controls within the organization.

It is important to note that access to all of these types of data will need to be monitored, though the degree of monitoring may differ.

Review Process
Each organization may have its own criteria that provide additional levels of classification. It is important to review these classification levels and criteria periodically as rules and regulations change, requiring a change in the way data is classified within the organization.