Data is the basic component of an information system. It includes the intellectual property of a company, staff information and records of customer transactions. Data coming into an organisation is processed to facilitate the business operation.
To advise on the need to classify data requires a clear understanding of the risk associated with the exposure of each type of information.
It is normal to choose three classifications of data. There is public data such as the company’s history, news releases and published plans. Employee data is information that should stay within the company and not be exposed to the public. An example of this is a company strategy before it is announced to the public. Secret data is confined to certain sections of a company such as finance, research and HR.
These classifications come with different names and are not standardised across the industry. In each company one can find a customised data classification schema and different system configurations to support the levels of protection applied to each designation.
There are laws and standards that order the protection of customer data. These laws can be used to help decide what protection should be used for what type of data. A classification based on legislation can be more useful than one based on a subjective appraisal of what a piece of data is worth.
The Data Protection Act (DPA) and Payment Card Industry Data Security Standard (PCI DSS) are two relevant examples. DPA states what type of customer information should be kept from public exposure. Any data that can be used to identify a person should not be given out without consent. PCI DSS stipulates that cardholder data must be protected and gives very good prescriptions on how to achieve the required level of security.
A good starting point for classifying data takes into account what laws and standards govern the data taken in by the company and also what data does the company consider proprietary. In looking at the latter it is important to consider the triad of Confidentiality, Integrity and Availability.
That triplet can help a company classify a piece of data and decide what measures will be used to protect it. The use of encryption for stored data or data in transit will obviously be considered for Confidentiality. There are other methods to provide assurance of Integrity such as digital signatures and for Availability, protection of servers from attack and disaster.
The classification of data helps a company decide what resources to allocate to the protection of its information. There is the customary three-level approach which can be difficult to implement because it is subjective and it does not always address the requirements of legislation. This method is more suited to the intellectual property of a company.
Using the laws and standards to classify customer information is more useful because the legislation is aimed at the protection of customers and because the penalties can be quantified. This makes it easier to calculate a justifiable level of spending to achieve compliance.
The post on data protection and data classification is good and informative. The classification of data helps a company decide what resources to allocate to the protection of its information.
Posted by: data classification | 2010.04.06 at 10:16
This is very helpful. I am better equipped now with your useful info. Kudos to you!
Posted by: Security Guard Articles | 2010.11.03 at 05:08
Obviously data is a component for any type of information.DPA states what type of customer information should be kept from public exposure. Any data that can be used to identify a person should not be given out without consent.This provides enough information on data classification.
Posted by: drupal website developers | 2011.05.04 at 11:28
This is vary informative and good post.
Posted by: backstreet boys tickets | 2011.06.23 at 08:16
Hi, thank you for sharing this great info. Was just browsing through the net in my office and happened upon your blog. It is really very well written and quit comprehensive in explaining with a very simple language.
Posted by: kamagra | 2011.08.18 at 00:28
Thank for sharing such great information about data classification. This blog provides enough knowledge about data classification.
Posted by: בוקיפר | 2011.09.13 at 19:44
I like your way to classified the data. It's really great technique for data classification.
Posted by: שיווק באינטרנט | 2011.09.22 at 17:22
Glad to read about the different sets of data classification and how companies handle the security of each of them...
Posted by: Security guard | 2011.09.25 at 01:39