Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources.
Knowing what data your organization collects, uses, stores, processes, and transmits and the level of security that needs to be applied to each type of data identified is critical to achieving compliance requirements and avoiding cyber threats. In this blog, we will explore the key considerations when performing data classification, the data classification levels, and how data classification is considered in the common compliance frameworks.
What is the Purpose of the Classification of Data?
Data classification is intended to not only meet compliance requirements, but enable the implementation of security measures to protect an organization from the ever-increasing cyber threats from across the globe. Classifying data also plays a key role in performing a risk assessment of the business. If you know how you process and store data that is classified as “restricted” or “confidential,” stronger data security controls and risk mitigation strategies can be implemented around those processes.
When assessing risk in an organization, it is important to know what data is considered sensitive in order to best identify threats and the impact of a potential breach. A few positive side effects of proper data classification include increased cost-effectiveness when assigning data security resources, meeting compliance standards, and reducing the level of severity should the organization be hacked.
What Are the Key Considerations When Classifying Data?
Compliance regulations expect an organization to be able to identify and protect against threats to prevent the disclosure of data to an unintended audience. A helpful step to achieve this objective is categorizing and assigning levels of classification to the data and information that an organization collects, processes, stores or transmits. Before we expand on the specific data classification levels themselves, here are some key considerations and questions to ask when beginning the data classification process.
- What types of data do you have? Depending on an organization’s industry, first identify the type of data the organization collects, processes, and stores. For example, organizations in the healthcare industry often handle PHI (Protected Health Information) such as patient information or medical history, whereas organizations in financial services handle cardholder data (PCI) including card numbers, expiration, and other payment information. Another common type of data to consider is personally identifiable information (PII), such as social security numbers.
- Develop a data classification policy that details a data classification scheme, such as defined data classification levels (public, internal, confidential, restricted). See below for a detailed view of each classification level typically seen within an organization. It is important to note that common compliance requirements do not specify the amount and levels of data classification an organization uses, so data classification can be simplified into a scheme that works best for the organization.
- Does each piece of data have an owner? Assigning responsibility or ownership of data within an organization will help with the data classification process. Often times organizations identify a Data Protection Officer or a similar position that works with Security and Compliance personnel to execute and maintain data classification.
- Who has access to the data? Knowing who within the organization can access or needs access to add, modify, or delete data will assist in both data protection and remediation efforts if gaps are identified in data security measures.
What Are the 4 Data Classification Levels?
There are four common levels of data classification that are often found in an organization’s data classification policy or standard. Below is a brief description of each level, along with relevant examples.
- Public – Public data is what the name implies, open to the public. It can be posted on an external-facing website or discussed openly with anyone. From a compliance view, data categorized as public is often general information about the organization or products that is not sensitive in nature.
- Internal – Internal data or information is considered internal only to an organization, such as policies and memos distributed amongst employees. Although this type of data may not pose a severe risk if leaked, it should still be kept somewhat protected as there is some risk if disclosed.
- Confidential – Confidential data is generally restricted to smaller teams within an organization. This data should be kept within the respective team, such as pricing information or key marketing strategies. If data that is classified as confidential is not kept secure, it could have a negative impact on the organization, such as reputational risk.
- Restricted – Restricted data is considered the most sensitive data in an organization and poses the largest risk if disclosed. This level of data should be limited to individuals that are deemed necessary to have access to such data. When you think about compliance audits, most of the data security controls focus on data that should be restricted, such as PII (personally identifiable information), cardholder or payment information, health information (PHI), and intellectual property.
When Do You Need To Reclassify Data?
As an organization grows and changes, it is important to periodically review data classification measures taken to ensure that the data identified is still appropriately classified and protected. Having an annual review in place around data classification policies and standards can help identify potential gaps in security controls. It is typically a combined responsibility of the data owners and the security and compliance team to re-evaluate data classification levels and what data needs to be protected.
Compliance requirements may change by imposing more stringent data security requirements or the organization may start to offer a new service where an entirely new category of data needs to be considered and security controls implemented. Staying abreast of organizational and compliance changes will spark the need for data reclassification.
Data Classification and Regulatory Compliance
Creating and maintaining a data classification standard within an organization is critical to data security and meeting compliance requirements. A few of the common compliance requirements below emphasize the security, integrity, and availability of data within an organization.
- HIPAA – Identifying ePHI and health-related information that is processed or stored by an organization helps prioritize the controls that need to be implemented to secure the data.
- SOC 2 – To protect client data that an organization processes and stores as part of their services provided, data classification is key to meeting the Trust Services Criteria – Security, Availability, Confidentiality, Processing Integrity, and Privacy.
- NIST – When applying the NIST framework, data classification helps satisfy the requirements to categorize information and information systems into security groups and assess impact.
- GDPR – Performing data classification is an important due diligence step that makes identifying personal data and the required Data Protection Impact Assessment (DPIA) easier.
- PCI DSS – In order to protect cardholder data, identifying how sensitive certain data elements are is key in meeting PCI-related requirements.
I hope this blog helped you understand the importance of data classification and the benefits of implementing a data classification standard. It can be an arduous task, but a critical step in protecting data and satisfying compliance requirements. If you would like to discuss your compliance needs and how we at Linford & Co can help, please contact us or visit our compliance audit pages below:
Natalie Munro specializes in SOC examinations for Linford & Co., LLP, and is currently a manager with the firm. She started her career with Ernst & Young’s Risk Assurance group in 2014 after completing her Masters of Accountancy from the University of Georgia. Natalie’s experience includes internal and external audits across multiple industries. She enjoys learning each client’s processes to help them meet their customer’s needs as well as fulfill regulatory requirements.