- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
TL;DR: A data classification policy categorizes your company’s information according to the risk its exposure poses to your organization. This article will cover three essential categories you need to include and outline the steps you can take to implement these policies. Effective information classification improves operations, saves money, and prepares you to meet compliance requirements. And it’s just good security hygiene. Want to learn more? Read on.
What Is a Data Classification Policy?
A data classification policy categorizes your company’s information according to the risk its exposure poses to your organization. Through this policy, you will define how company data should be classified based on sensitivity and then create security policies appropriate to each class.
Data classification generally includes three categories: Confidential, Internal, and Public data. Limiting your policy to a few simple types will make it easier to classify all of the information your organization holds so you can focus resources on protecting your most critical information.
Benefits of Data Classification
When thinking about securing your company’s systems and information, it’s easy to approach it from strictly a technical point of view. You might be worried about things like making sure systems are protected with antivirus, that you have an effective firewall protecting your network perimeter, and that your data is backed up.
But you also need to ask what kind of protections you are wrapping around the day-to-day handling of the data itself. How would you know if a piece of information was appropriate only for internal use or acceptable to share on the company’s public website?
A well-thought-out information classification policy can help you answer these questions and more. Notable benefits include:
- Clarity. Data classification helps teams understand what information exists within the organization, where data is stored, and how to access it. Classification is an essential step when developing the rules, processes, and procedures you will use to protect sensitive information.
- Compliance. Promote a culture of compliance at your organization with a clear strategy for data governance. Categorizing your data according to sensitivity will help you protect your confidential and classified information. It will also help your organization meet regulatory requirements, avoid penalties, and guard against mistakes that could harm your reputation.
- Savings. You can use data classification to focus on controls on truly critical information—you do not need to treat your catered lunch menu with the same controls as your credit card data. This targeted approach helps you make smarter choices when investing in security controls, which in turn saves you money.
How to Classify Your Data
There are generally three classes of data, determined by sensitivity:
Confidential data
Consider confidential data to be your company’s crown jewels. If it were to get out of your hands, this information could cause severe reputational and financial harm to your organization. Confidential information includes virtually anything that provides your business with a strategic advantage. Companies often use Confidential data as the focal point for building out the rest of their administrative, physical, and technical controls.
Internal data
Internal data is information that would cause moderate risk or harm to the company if it was leaked. This list includes sensitive credentials and other secrets as well as corporate policies and other guidelines.
Public data
Public data is any information included on (or intended for) your corporate website. Essentially, there is no consequence if Public data is leaked because it’s already meant for the public.
Some organizations might create a fourth category called “Restricted” for credit card information, IP, PHI, etc. and apply the “Confidential” label to information that could affect operations (such as vendor contracts and employee reviews).
Regardless of what category scheme you choose, aim to keep it simple to make category decisions as straightforward as possible for your data classification policy. Creating too many options will ultimately frustrate your users and increase the risk of information being labeled inappropriately.
How to Implement a Data Classification Policy
Once the information is classified, begin applying the categorization to some internal data.
One easy place to start is your company handbook or binder of policies. Edit your guidelines to include an “Internal” label that is visible. Continue sifting through other company documentation, and make sure you have labeled some examples of each classification type. Data labeling could be useful in these situations.
Next, develop a few training modules to help existing employees learn how to classify data and handle each type of data class. Document this training and offer it to your future hires as well.
As you gain momentum in this process, you will likely find some information easy to categorize. Other classification decisions may need to involve other business units such as your legal and security teams.
These questions can help guide the process:
- Where is this data located?
- Who is responsible for backing it up and enforcing access permissions?
- Who can speak to the sensitivity of the data?
- What department budgets for the expenses associated with collecting, storing, and processing the information?
To make this effort easier for everyone involved, leverage tools to help automate and streamline the classification process. These tools typically analyze and categorize data based on predetermined parameters and quickly process large data sets. You can also add your own rules to classify data based on sensitivity. Start by taking an inventory of your data so you know where it lives and how sensitive it is, and then label it to ensure proper handling.
Once the classifications efforts are complete, review them yearly to certify they are still accurate. And remember to update your procedures around handling data sets if you change their classification. A SOC 2 data classification policy is critical as you build proper data security practices.
Don’t let SOC 2 ruin your life! Check out Comply, an open-source repo for resource management and pre-authored policies.
And if you need help managing and tracking access to infrastructure, contact StrongDM for a free, no BS demo today.
About the Author
Brian Johnson, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.
Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.