Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources.
What Is Data Classification & Why Is it Important?
Knowing what data your organization collects, uses, stores, processes, and transmits and the level of security that needs to be applied to each type of data identified is critical to achieving compliance requirements and avoiding cyber threats. In this blog, we will explore the key considerations when performing data classification, the data classification levels, and how data classification is considered in the common compliance frameworks.
What Is the Purpose of the Classification of Data?
Data classification is intended to not only meet compliance requirements, but also to enable the implementation of security measures to protect an organization from the ever-increasing cyber threats from across the globe. Classifying data also plays a key role in performing a risk assessment of the business. If you know how you process and store data that is classified as “restricted” or “confidential,” stronger data security controls and risk mitigation strategies can be implemented around those processes.
When assessing risk in an organization, it is important to know what data is considered sensitive in order to best identify threats and the impact of a potential breach. A few positive side effects of proper data classification include increased cost-effectiveness when assigning data security resources, meeting compliance standards, and reducing the level of severity should the organization be hacked.
What are the Main Objectives of the Classification of Data?
Compliance regulations expect an organization to be able to identify and protect against threats to prevent the disclosure of data to an unintended audience. A helpful step to achieve this objective is categorizing and assigning levels of classification to the data and information that an organization collects, processes, stores, or transmits.
How Do You Choose a Classification Level?
To get started, there are some key considerations and questions to ask when beginning the data classification process, as outlined below.
- What types of data does your organization collect, process, and store? What types of confidential data are included in that inventory? This is likely going to depend on the industry your organization operates in and/or the industries your clients operate in. For example, organizations in the healthcare industry often handle PHI (Protected Health Information), such as patient information or medical history, whereas organizations in financial services handle cardholder data (PCI), including card numbers, expiration, and other payment information. Another common type of data to consider is personally identifiable information (PII), such as social security numbers. Check out our article to learn more about the differences between PII, PHI, and PCI.
- How does data flow within your environment? What inbound and external data transfers exist to move data into and out of the environment, and where is data stored?
- Does each piece of data have an owner? Assigning responsibility or ownership of data within an organization will help with the data classification process. Oftentimes times organizations identify a Data Protection Officer or a similar position that works with Security and Compliance personnel to execute and maintain data classification.
- Who has access to the data? Knowing who within the organization can access or needs access to add, modify, or delete data will assist in both data protection and remediation efforts if gaps are identified in data security measures.
From there, a data classification policy can be developed that includes a data classification scheme, such as defined data classification levels (public, internal, confidential, restricted) based on the information you gathered. It is important to note that most compliance standards and requirements are not prescriptive in specifying the information classification levels that an organization should use, so your organization’s data management strategy can be tailored in a way that best supports the organization.
What Are the Four Levels (or Types) of Data Classification?
There are four commonly accepted levels of data classification that organizations tend to use when developing a data classification policy or standard. Below is a brief description of each level, along with relevant examples.
- Public – Public data is what the name implies, open to the public. It can be posted on an external-facing website or discussed openly with anyone. From a compliance view, data categorized as public is often general information about the organization or products that is not sensitive in nature.
- Internal – Internal data or information is considered internal only to an organization, such as policies and memos distributed amongst employees. Although this type of data may not pose a severe risk if leaked, it should still be kept somewhat protected as there is some risk if disclosed.
- Confidential – Confidential data is generally restricted to smaller teams within an organization. This data should be kept within the respective team, such as pricing information or key marketing strategies. If data that is classified as confidential is not kept secure, it could have a negative impact on the organization, such as reputational risk.
- Restricted – Restricted data is considered the most sensitive data in an organization and poses the largest risk if disclosed. This level of data should be limited to a handful of individuals who are authorized to have access to such data in support of their direct job function/responsibilities. When you think about confidential vs. restricted data and compliance audits, most of the data security controls (such as detective controls or preventive controls) focus on data that should be restricted, such as PII (personally identifiable information), cardholder or payment information, health information (PHI), and intellectual property.
When Do You Need To Reclassify Data?
As an organization grows and changes, it is important to periodically review data classification measures taken to ensure that the data identified is still appropriately classified and protected. Having an annual review in place around data classification policies and standards can help identify potential gaps in security controls. It is typically a combined responsibility of the data owners and the security and compliance team to re-evaluate data classification levels and what data needs to be protected.
Compliance requirements may change by imposing more stringent data security requirements or the organization may start to offer a new service where an entirely new category of data needs to be considered and security controls implemented. Staying abreast of organizational and compliance changes will spark the need for data reclassification.
Benefits of Data Classification & Regulatory Compliance
Often we are asked “What is a data classification framework?”, and “What are the benefits of the classification of data?” First, a framework can be useful because it can provide the structure and guardrails that support an organization in determining the appropriate level of control. Further, creating and maintaining a data classification standard can benefit an organization by addressing regulatory and compliance requirements. A few of the common compliance requirements below include data classification standards that define controls around the security, integrity, and availability of data within an organization.
- HIPAA – Identifying ePHI and health-related information that is processed or stored by an organization helps prioritize the controls that need to be implemented to secure the data. Learn more about the scope of HIPAA compliance.
- SOC 2 – To protect client data that an organization processes and stores as part of the services provided, data classification is key to meeting the Trust Services Criteria – Security, Availability, Confidentiality, Processing Integrity, and Privacy.
- NIST – When applying the NIST framework, data classification helps satisfy the requirements to categorize information and information systems into security groups and assess impact.
- GDPR – Performing data classification is an important due diligence step that makes identifying personal data and the required Data Protection Impact Assessment (DPIA) easier.
- PCI DSS – In order to protect cardholder data, identifying how sensitive certain data elements are is key in meeting PCI-related requirements.
Selecting a compliance standard that aligns with your organization’s objectives and requirements enables policy and control development based on the criteria defined within the framework.
Summary
I hope this blog helped you understand the importance of data classification and the benefits of implementing a data classification standard. It can be an arduous task, but is a critical step in protecting data and satisfying compliance requirements. If you would like to discuss your compliance needs and how Linford & Co can help, please contact us or visit our audit service pages below:
- HIPAA Audits
- SOC 1 Audits
- SOC 2 Audits
- FedRAMP Compliance Certification
- HITRUST Assessment & Certification
This article was originally published on 5/18/2021 and was updated on 8/30/2023.
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.