Data Classification - Understanding the Basics

In the ever-expanding world of PCI DSS, and the emerging GDPR world, data classification is a concern that is often left unattended. Organizations who work with Compass IT often find the value in tagging data that together we deem valuable if manipulated, stolen or destroyed. Organizations that implement such data classifications can confidently control the data through access rights given to specific individuals for example. Given the large amount of data an organization can generate, data classification gives the entity another layer of security when it comes to cyber-security.

The first step towards classifying an organization’s data is forming a policy for data classification that will give clear goals for the IT department, should they be tasked with implementing the classification of data. Establishing management’s consent and clearly articulating the organization’s vision and the security that this policy will bring will allow the management team to educate their end-users and keep them up to date with the ever-evolving world of cyber-security.

Establishing a policy will allow for a procedure to be implemented to begin this process of identifying data that is deemed in need of classification to begin with. Often a good starting point for digging into the classification of an organization’s data is a review of the data they are currently backing up. Doing this will often allow a bit of a deeper dive into what is in store. Anywhere you search, the first of data classification is to define what data is to be classified, and where does it live? This “where” part is especially sticky for organizations who host their data in the cloud, but that is an entirely different blog to cover. As it pertains to PCI, are you holding credit card information, and for GDPR are you holding any personal information that is applicable?

The classification process itself is for the most part two-fold:

1. An organization’s data owner takes the role of managing this process themselves, which is time-consuming but kept in-house and secure.

2. Many organizations implement many tools that are automated and easily managed. This option, while initially expensive, can be more scalable than the aforementioned hands-on approach. Once this large undertaking is near completion you can begin the process of, who and how much access should be granted based on a user’s role and responsibilities.

Data classification is essential for organization’s in their overall information security program. You must identify what data you have, where that data lives, and then who has access to it. It is very difficult for you to protect data that you don’t know how sensitive it is, where it resides, and who has access to it. But, by starting this process, you can develop an information security program that looks at the full picture when it comes to your data!

If you are looking where to start or need some assistance, a great first step might be to conduct a risk assessment to identify what data you have and where it resides. From there, you can determine what level of risk is present in your organization and the steps that you can take to mitigate your risk. Contact us to discuss your specific situation and learn how we have helped other organizations classify their data, develop a program to keep that data safe, and mitigate their risk of a breach!