There are numerous steps to developing an effective cybersecurity program. From building out the appropriate security controls to maintaining compliance with specific industry regulations, developing a plan for protecting your data requires a comprehensive understanding of a number of important security processes.

Data classification is a critical enabling process that many companies sidestep. As a result, their security program can be, at best, wasting precious resources, and, at worst, fail to protect the organization’s data “crown jewels.”

Why Data Classification is Important

When you think about security, the value of an asset directly impacts how hard you work to protect it. For example, you don’t lock your refrigerator to keep a house guest or repair technician from stealing your food. It’s relatively inexpensive and easy to replace. But, you might keep your valuables and family heirlooms in a safe because they’re irreplaceable.

The same concept is true for your data. Until you know what types of data you have, how important it is, and where it lives within your organization, it can be difficult to design the appropriate security measures. For businesses, one organization will likely have different data and asset protection priorities than another based on their industry and regulatory priorities.

What types of data do we have? Where does the data live? Do we have the appropriate security systems in place? These are all important questions that can only be answered when you take the time for data classification.

5 Steps for Data Classification

Here are five steps an organization should take when it comes to data classification:

Step 1: Conduct a workflow analysis of your data (discovery).

Data discovery and classification doesn’t start with the IT department. It starts with the people on the front line. This allows you to understand what data is coming in and what data is leaving. Identifying the various types of data allows you to map out a workflow that will expose potential points of weakness or vulnerability and get you thinking about how it should be protected.

Step 2: Map your data to the systems in place for protecting it.

Once you’ve identified all the data, the next step is to map it to the systems that are used to intake, process, and disseminate that data. This is where IT begins to identify all the various systems where data is stored. It’s important to consider: Are your systems internal? Are they hosted by a third party? Are they located offshore?

Step 3: Trust but verify.

When it comes to data classification, most people stop after step 2. But, one of the things we’ve learned after working with hundreds of organizations is that it’s also important to trust but verify. By conducting automated network-based scans to look for sensitive data, you’re able to verify that you didn’t miss anything. This is crucial for making sure making sure you don’t unknowingly put yourself at risk for breaking industry regulations such as HIPAA, PCI, GDPR, etc.

Step 4: Classify your data based on its security needs.

Once you’ve got a handle on all of your data, it’s time to classify it. Back to our home security analogy—it is important to classify your data based on its value.

For many organizations, three classification buckets are often a good starting point. There’s a lot of data that won’t need a high-level of security (i.e. public data). You’ll also have internal data that might not be regulated but is sensitive data (i.e. financial data, business plans, R&D, etc.). Then, you’ll also have highly-sensitive or protected data (i.e. confidential information subject to penalties).

Step 5: Develop policies for protecting your data.

Once you’ve identified all the various types of data, it’s important to understand your regulatory obligations on protecting them. This might mean pulling in your legal team or a third-party partner to identify data access that should be allowed, restricted, or denied. Knowing your specific industry regulations is important for making sure you’re classifying data in the appropriate categories. While some organizations might classify their data into five or six tiers, the key is in building structures that work for you to build your security program around data security. At this point, it’s time to get formal about the different protection levels you are going to require for each classification of data. This is your Data Classification Policy, and it becomes a critical guide for the IT and security teams when developing access controls, network segmentation, encryption, and a host of other security controls that will support the confidentiality, integrity, and availability of the information.

Don’t Ignore Data Classification

On the surface, data identification and classification might seem like an unnecessary drain on already stretched resources—after all, we know we have sensitive information, we just make sure we protect everything. Well, do you truly need a lock on your refrigerator? Is it possible you forgot about those diamond earrings in your dresser that your aunt loaned you?

Once you’re armed with the appropriate classifications, you can start building out your security controls to make sure you’re not over-protecting or under-protecting. This is where BALLAST comes in to help you identify whether or not you have the appropriate controls in place to protect your data.

Whether you’re looking to maintain compliance with your specific industry regulations or the new GDPR framework, here’s the bottom line: Effectively protecting your data requires classifying all information in your system. Contact us today to learn more!

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.