One of the most critical components many organizations and businesses overlook when it comes to cybersecurity is data classification. Taking the time to classify your data can help you determine what you have, what type of protection you require for it, and how much you should be spending on that protection. Here’s a look at everything you need to know about data classification.
Let’s start with what data classification really means. All businesses, organizations, and individuals possess data. This can range from emails to personnel files, client payment information to the personally identifiable information (PII) of patients. Regardless of what industry you are involved in, you have data.
The process of understanding what information you and your organization hold, the value of that information, and the cost required to protect it is known as data classification. Undergoing the steps of data classification is a crucial first step in establishing a solid cybersecurity management program. It boils down to this: If you don’t know what you have, how can you ensure it is used properly and protect it?
By taking a hard look at what data your business has, you are able to make the best decisions about allocating your available resources to prevent unauthorized access and use. In other words, if you want to know how to prevent a breach, hack, or loss of information that could potentially destroy your business, you need to look at what data you have so you can decide what protection it needs as well as how much you should spend on that protection.
Information as an Asset
All information is valuable to some extent. Businesses now communicate, trade, and operate on a global scale which means there is an innumerable amount of data that is produced, shared, and stored on a daily basis. While the information flowing in, out, and around your organization typically has value to you, the reality is that it’s not all created equal. Some data has more value than others. For example, an email announcing a retirement party for your CEO is less valuable than say proprietary plans for the development of a new form of AI.
With that said, there are steps each organization should take when it comes to data classification:
• Identify: Identify the data your company uses and stores.
• Locate: Determine where the data is located.
• Classify: Categorize the data by importance and decide which data needs protected.
• Value: Assign value to each piece of data.
A Common Problem
When Dox Electronics conducts an assessment for a business regarding Defense Federal Acquisition Regulations (DFARS) and National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), nearly 100 percent of the time our client cannot clearly tell us what their controlled unclassified information (CUI) looks like, where it is stored, or how it is protected. This creates major roadblocks to achieving compliance which requires them to do specific things with CUI.
Some steps to protecting CUI can be very costly so it’s advantageous to clearly designate a small area or system for your CUI. That allows you to apply the costly protections specifically to that area or system, saving you money in the long run. There is often a temptation to be lazy and say that CUI can be located anywhere in a facility in any system. When that happens and there is a mentality of “protecting it all,” it can become more costly to protect everything.
An analogy we often use at Dox is that CUI is like radioactivity. If the Department of Defense (DoD), which requires contractors and subcontractors to be DFARS and NIST SP 800-171 compliant, contracted you to work with a substance they told you was radioactive, what would be the best method of keeping everyone safe? Would you line every room and hallway of your entire facility with four inches of lead? Of course not! That would get very expensive very quickly.
The better approach is to clearly label that substance and define where you can store and work with it. Once that area is identified, you can apply the proper protections with surgical precision. The same is true of data classification. If you have a system in place in which you store clearly identified CUI data, then that covers the majority of security requirements easily and at a significantly lower cost.
Identifying Your Data
While this can be a time-consuming process, it is imperative that your data be systematically identified. This includes hard copies of data in addition to digital information.
Data identification is not a one-man operation, particularly in larger organizations. The identification of data should be done by process owners in every branch, department, and division of the company. This is due to the fact that those in billing will have substantially different data to identify than someone in production, marketing, or customer relations.
The first step in the classification process is identifying and tracking various forms of data. The best way to begin is to trace the flow of data starting with each process owner. In each department or division, ask the lead(s) questions about the specific data they work with such as:
• What data do they collect and retain from or about suppliers, partners, customers, etc?
• What data is created regarding such stakeholders through business processes?
• What proprietary data is created in the course of design, production, sales, or marketing?
• What data is produced as the result of purchasing, sales, and other transactions?
• Which data is public, private, confidential, or even restricted?
Location, Location, Location
Before you can protect your data, you have to know where it is. Whether you store everything on local hard drives, in the cloud, or in file cabinets, you have to know where your information is hidden so you can put the proper protections in place. Storing confidential files, for example, in an unlocked drawer in a room everyone has access to is not the best data security.
For digital information, many organizations employ systems that interface with one another or outside systems which means data may be stored in multiple locations. From where data was originally created to how it is sent and stored, data may be found on the hard drives of desktops, in email systems, on backup drives, in the cloud, etc. Don’t fail to check reporting systems and data warehouses where information may also be hanging out. Transactional data may also be archived in such systems. Data can also be found in imaging and photocopy devices as well. Even personal devices such as thumb drives, tablets, laptops, and cell phones can hold a treasure trove of data that could do serious damage if it were to fall into the wrong hands.
Don’t forget to consider subcontractors, partners, and others who may also have copies of business data that needs protection. Ensure they also have a solid handle on where your data is located. There have been instances where serious consequences have occurred as a result of lost data. Take, for example, the hundreds of gigabytes of data regarding secret military projects stolen from the computers of a U.S. Navy Contactor by Chinese hackers in January and February earlier this year.
Public, Private, or Classified?
The next step in the data classification process is to determine what types of data you have and how it should be divided. Though you want to identify and separate distinct levels of data, you want to avoid becoming overly precise in your classification of information.
“Data classification should not granularly label individual files; rather, it should create large categories of similar data and establish a core set of principles regarding the proper use, handling, and applicability of various protection profiles for each category,” according to the Gartner report, “How to Overcome the Pitfalls in Data Classification Initiatives.” “The classification schemes, policies and procedures inherently establish the scope of the overall initiative, as well as the amount of effort and resources required to support it.”
While your business may have specific classifications of its own, some major categories to consider may include:
• Public Data: Data that may be freely disclosed publically such as marketing material, contact information, price lists, etc.
• Internal Data: Information not for public disclosure such as sales playbooks, organizational charts, employee information, etc.
• Confidential Data: Data that, if compromised, could negatively affect operations such as contracts with partners and vendors, employee reviews, etc.
• Restricted Data: This is highly sensitive information that could put the organization at financial or legal risk if compromised such as credit card information, PII or personal health information (PHI), or trade secrets.
These classifications may seem too broad, but don’t feel compelled to go too in-depth. Typically three to eight categories serve the purpose for most companies and organizations.
The reason classifying data is important is because it allows management to determine what really needs to be protected and how. By indexing the different types of data your organization uses and stores, you can assign each type a value.
Now that you have identified the data your business has, located it, and classified it, it’s time to assign value to the different pieces. This is a critical component of the data classification process because it pinpoints what data requires which level of security, criteria for using and protecting it through policy, and how much you need to spend to secure it.
By classifying information, you can further develop company policies and guidelines for the use, storage, and handling of data by employees. You’ll also want to train employees regularly on such policies and procedures.
“An organization’s classification will only be as effective as the amount of effort and priority put behind it,” according to the Gartner report. “Organizations typically underfund training and education related to data classification, resulting in poorly understood and implemented programs. Unfortunately, tools can only make up for so much of these shortcomings, especially in the initial phases when the organization has yet to achieve classification process maturity.”
Additionally, every organization has a budget it must work within so knowing where to allocate your security funds is incredibly important to preventing a potentially devastating breach. Some funds should be dedicated to the classification process, training employees, and safeguarding the data based on its level of classification.
When assigning value to data, there are several criteria that must be taken into account. Consider the following:
• What are the penalties affiliated with a breach or loss of this data?
• What are the potential soft and hard costs associated with a breach of this data?
• What fines might be levied if this data is disclosed?
• Where purchase card information (PCI) is concerned, could there be a rate increase in credit card transactions or the loss of ability to process credit cards if this data is lost?
• Could there be civil penalties your business incurs as a result of disclosing personal information? What would be the cost of credit monitoring services for exposed clients?
• What is the loss of competitive advantage, financial opportunities, and business should trade secrets be revealed?
Now that you understand more about data classification and its importance, you can take the necessary steps to best protect your organizational information. You can employ the results of your data classification process into your overall security program to strengthen the protection of data, both in digital and hard copy formats. In addition, the classification process allows management to make cost-effective decisions about data security, policies, and procedures to best serve your business, its partners, and clients.
For more information about data classification and security, reach out to the experts at Dox at (585) 473-7766 or visit Dox online today.