What is: Data Classification Policy

Share

Executive Summary:

Data classification policies establish criteria for ranking data based on the resulting impact of loss or theft on an organization. The impact of loss or theft includes the cost to recover data, adverse impact on organizational reputation, operational downtime, legal fines and penalties, and overall financial liability. Data classification policies are an essential part of a Written Information Security Policy (WISP) and an Encryption Policy.

Executive Action Items:

  • Initiate a data classification conversation focusing on impact to an organization;
  • Implement a data classification policy based upon information type and importance;
  • Train employees on how to recognize and handle different types of sensitive data.

Analysis:

A data classification policy’s details provide a methodology for ranking data based on how sensitive that data is and how authorized users should treat different types of information. Once classified, data should be segregated on a need-to-know operational basis, according to employees’ roles and responsibilities. 

Levels of Data Sensitivity

A data classification policy normally has no more than four levels of data sensitivity. Employees should be trained on how to handle every level of data.  Classification is up to the company, but the following structure, recommended by the National Institute of Standards and Technology (NIST), is commonly used:

  • Restricted
    • Restricted information is the highest level of data sensitivity; it is often the organizational Crown Jewel Asset.  Access must be limited to authorized employees, contractors, and business partners with a specific need to access data.
      • Significant damage would occur if restricted information became available to an unauthorized party.
  • Confidential 
    • Confidential information is the second-highest level of data sensitivity.  Confidential data is highly valuable, business-critical information.
      • High to Moderate damage would occur if confidential information became available to an unauthorized party.
  • Internal Use
    • Internal Use information or business crucial is data that originated at, is owned by, or entrusted to the organization.  This information may be shared with authorized contractors, employees, and business partners, but may not be released to the public. 
      • Moderate damage would occur if internal use information became available to an unauthorized party.
  • Public
    • Public information is information that has been approved as available to the public, and freely shareable.
      • No damage would occur if public information becomes available to anyone.

Handling 

The data classification policy, in conjunction with the WISP, should specify what security measures employees are expected to take to protect each type of information. There is no single standard for what security measures all companies should apply to their data, but best practices can be established through a review of corresponding Data Privacy regulations and Information Security Frameworks, such as NIST. The data classification policy should specify who has access to each level of data, and what actions employees, partners, and contractors must take when handling the different levels of data.

A data classification policy normally has no more than four levels of data sensitivity. Employees should be trained on how to handle every level of data.