In the realm of Information Security, it is well understood that not all information is treated equally. Security is expensive and we must layer controls to ensure our most critical information is protected. This is where data classification comes in. It is widely publicized that Governments work with ‘Top Secret’ information, but what does that mean? Data Classification starts with labeling documents with various levels of confidentiality. These levels are aligned to names, and ultimately tied to how it will be used, transmitted and ultimately protected in and outside of the business.
Data Classification Levels
Data Classification in Government organizations commonly includes five levels: Top Secret, Secret, Confidential, Sensitive, and Unclassified. These can be adopted by commercial organizations, but, most often, we find four levels, Restricted, Confidential, Internal, Public. These four are far more straightforward, and their names align to how they should be handled.
Public: This information is public information, and can be openly shared on your website, discussed in public and with anyone. Public information as the name implies, is public, and does not require any additional controls when used.
Internal: Internal information is company-wide and should be protected with limited controls. Internal information may include the employee handbook, various policies and company-wide memos. If disclosed, Internal information has a minimal impact to the business.
Confidential: Confidential information is team-wide and its use should be contained within the business. This information may include pricing, marketing materials, or contact information. If disclosed, Confidential information could negatively affect your business and ultimately your brand.
Restricted: Restricted information is highly sensitive and its use should be limited on a need-to-know basis. Restricted information is typically protected with a Non-disclosure Agreement (NDA) to minimize legal risk. Restricted information includes trade secrets, potentially identifiable information (PII), cardholder data (credit cards), or health information. If disclosed, there would be a significant financial or legal impact to the business.
How do you Classify Information?
Having a Data Classification standard is the first step. Once one has been defined, how do you classify information? There are multiple ways to classify information and to simplify things, however, there are two primary methods.
The first involves treating all PII, PCI, PHIPA or trade secrets as restricted and attempting to build rules (i.e., regular expressions) in your systems to automatically tag using a technology. Credit cards are 16 digits and valid cards pass a mod 10 check. Technology is capable of finding credit cards and handling the information accordingly.
The second involves training your staff to understand the levels and label their documents based on their intended use. This is by far the most difficult, but once implemented, the most effective for the simple reason that technology has a hard time understanding data and the context.
The role of labelling data falls with the data owner. The data owner is the business lead or unit that is responsible for the data. Loyalty Data, for example, may be owned by the VP of Customer Loyalty. It is up to the data owner to assign the appropriate classification, and hand off the responsibility to the custodian. The custodian is the team member responsible for the safe custody, transport and storage of sensitive data. They are responsible for the application of security controls based on the sensitivity level.
Why Classify Information?
There are several reasons to classify data. To start, it makes sensitive information easy to spot. An email with a content policy tied to it (Office 365), and a subject line that starts with “RESTRICTED” is a very clear indicator that the recipient should be careful with the information. Security is expensive, and if we apply high-security controls to data that requires it, and lessen controls on information that is public, we can be more cost-effective.
Labelling your information not only makes it easier for employees to spot, but also makes it easier for technologies such as Data Loss Prevention (DLP) to do the same. Restricted information, as an example, can be watermarked to ensure it is not sent out of the business, printed, or stored in an insecure location.
Conclusion
In summary, data classification is a core fundamental component of any security program. It is the framework for how IT security is weaved into information security and ensures the protection of your business’s most sensitive information. Public information is intended to be used publicly and its disclosure is expected. Applying layers of your security controls as you move your way up to Restricted information is the best way to ensure cost-effectiveness. Sensitive information that’s labelled, is easier for your employees to spot, and understand how to handle it.
Contact us to learn more about data classification and how we can validate your restricted data is protected through an objective-based penetration test.
