One of the foundational elements of an information security program is the existence of and adherence to a formal data classification scheme. Yet, many organisations - even those that profess a commitment to protecting company and customer information--fail to implement data classification.
What is Data Classification?
Data classification is a simple concept. It is a scheme by which the organization assigns a level of sensitivity to each piece of information that it owns and maintains.
The most widely recognized data classification scheme is the one used by governments, which assign classifications such as:
- Top secret
When a document, letter, email, memo, or other piece of information is created, the owner assigns to it a classification level, which among other things, defines the security clearance of individuals that can access that information.
Similarly, in business, organizations adopt data classification schemes to define the levels of confidentiality that are required for each piece of information created or maintained by the organisation. A corporate data classification scheme might comprise information classifications such as:
- Company confidential
Such a scheme greatly facilitates data security, because it instantly identifies and communicates the level of protection required for any piece of data as well as the audience that may view it. For example, a document that is tagged as "company confidential" is easily recognized as not to be released outside of the company. Further, it limits those who may access the information to a defined group.
Without a data classification scheme, an organisation treats all information the same. This increases the probability that sensitive data will not have adequate security controls, increasing the risk of sensitive data being compromised. It also means that less sensitive data will have more security controls than necessary, leading to unnecessary restrictions and loss of efficiency for operational personnel.