Other Articles:


Data Classification: Start Here!

About the Anatomy of a Cybersecurity Program Series

In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions to improve the posture of your own organization. No solution, remediation or mitigating countermeasure is one-size-fits-all;  however, I will do my best to provide information from a generic enough standpoint that you should be able to at least find value in the knowledge even if it is not relevant to your environment.

Updated March 05, 2019


Our Enterprise Security Risk  and NIST CSF Assessments often reveal that organizations overlook or simply give lip service to this critical aspect of cyber security.  A complete and comprehensive Data Classification Program is a direct or implied requirement of many compliance directives (HIPAA, PCI-DSS, FISMA, 800-53, etc…) and is a critical part of most security and governance frameworks include the NIST Cybersecurity Framework (NIST CSF) or COBIT 5/9/2019.

We regularly hear “We treat everything as the same” and “We regard all data as the highest sensitivity.” Really?  If this were the case, that would mean that everyone would have access to company executive salary and bonus information, and everyone would be able to access company financial records and proprietary information. As you can probably tell, while most organizations may not formally recognize the process, they do in fact have some form of Data Classification in place.

Data at each classification level will need to be treated differently or you will never be able to effectively meet compliance requirements while maintaining a business justified budget.  For example: Let’s imagine you are required to log all creation, access, modification, movement and destruction of a certain type of data in your network (ePHI, credit card data, etc.). Now, if your organization classifies all data the same, then you must set up logging and alerting every time anyone accesses a corporate template document or creates and saves a document anywhere on the network, including a local PC. In this example, your security logs just became useless due to the sheer number of entries and the storage requirements are beyond imagination.

Let’s also consider another example: geofencing. Many are using it to meet GDPR requirements or limit potential exposure. In this instance, if all data were classified and treated the same, every piece of information created in Europe could not be opened anywhere outside of Europe for any reason, regardless of whether the data contained GDPR restricted data. As you can imagine, this could cause a severe impact on business operations for organizations that operate across international borders outside of the EU.

A data classification program should be your first step to building a Cybersecurity Program. Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity. For example, data might be classified as : public, internal, confidential, restricted, regulatory, or top secret.

Data and information assets are classified respective of the risk of unauthorized disclosure (e.g., lost or stolen inadvertently or nefariously). High-risk data, typically classified “Confidential,” requires a greater level of protection, while lower-risk data requires proportionately less protection.

Large data stores, such as databases, tables, or files carry an increased risk, since a single event could result in a large data breach. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.

The following table is an EXAMPLE of a Data Classification Table:

Data Classification Sample

Data Class Sensitivity LevelSample Data Types
Protection Level 03Extreme• ePHI/PHI
• Intellectual Property
• Company Financial
• GDPR Data
• Master Password Files
Protection Level 02High• Security Logs
• Firewall Configuration
• Router/Switch Configurations
• Employee Social security number
• Driver’s license number, State identification number
• Financial account numbers, Company credit or debit card numbers and financial account security codes, access codes, or passwords
• Employee health insurance information
Protection Level 01Moderate• HIPAA BAAs
• Internal IP Address
• VLAN Information
• Company Policies
• Personnel Roster
• Org Charts
• Customer Contact Lists
• Company and Customer Phone Posters
Protection Level 00None• Open Jobs
• Public Company History
• Associate Physicians
• Published Research
• Specialty Research Areas
• Service Locations

As well as being a critical first step in any Cybersecurity Program, Cybersecurity resources are nearly always in short supply: people, tools, servers, time.  Data Classification makes it possible to focus your resources and efforts where they be the most beneficial to your organization.

Until you complete this critical step, your Cybersecurity Program is using a “spray and pray” approach which is sure to leave holes and waste precious cybersecurity resources.

Find out how our friendly security experts can help you today

Get more info

Follow Spohn

Other Posts

Business Continuity Planning (BCP) – The Overlooked Control

Updated: February 18, 2019 Our NIST Cyber Security Frame Work (NIST CSF) and Enterprise Security Risk Assessment are  our most frequently requested services. These assessments are most often performed against industry best practice or can be mapped to several different regulatory compliance standards including: HIPAA, NIST-800-53, ISO/IEC 27001:2013, etc. The goal of this service is … Continued

MS-ISAC CYBER ALERT – Ongoing Emotet Campaign Using MS-ISAC Branding

This alert came through our CHWG Feed All credit goes to the membership for distributing the alert and recommendations.  ALWAYS ALWAYS run any changes through your ‘Change Management Process’   Disabling SMB can break or slow local network response, especially for custom apps.  TLP: GREEN MS-ISAC CYBER ALERT SUBJECT: UPDATED – Ongoing Emotet Campaign Using MS-ISAC Branding … Continued

Privileged Access Management 

About the Anatomy of a Cyber Security (NIST – Cybersecurity) Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. … Continued

HIPAA Understood: Information Access Management

Updated February 4th, 2019 This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you … Continued

Organizational Requirements

About the Anatomy of a Cybersecurity Program Series In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions … Continued

What Cyber Security Certification Do We Need?

Updated 15 January, 2019 That is the question (or something very similar) that I invariably get after presenting the results of a security engagement where the seemingly obvious were exploited.  These are the kinds of exploits that lead to administrator-level access to systems in hours (or even minutes), and that could expose sensitive organizational data … Continued

HIPAA Understood: Termination Procedures

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Workforce Clearance Procedure

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

A Head in the Sand Approach Leaves Many Networks Vulnerable

Many responsible for networks security take a “Head in the Sand” approach to ‘Cybersecurity Risk Assessments’! Following a previous information security breach, I was speaking with an industry colleague who shared with me that he had been in discussions with the victim organization regarding a technology that would allow them to identify and address vulnerabilities … Continued

HIPAA Understood: Authorization and/or Supervision

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Workforce Security

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Assigned Security Responsibility

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

SamSam and Atlanta: Don’t be the Next Victim

Over the last 5 years, we have seen a number of shifts in security technologies and targets. One thing that’s been evident is that no one is immune. In the past 12 months we have seen breaches affect HBO and Equifax in the corporate world; more than 200,000 systems affected in over 100 countries in … Continued

HIPAA Understood: Information System Activity Review

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308(a)(1)(ii)(C) Sanction Policy

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308(a)(1)(ii)(B) Risk Management

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: Rule 164.308(a)(1)(ii)(A) Risk Analysis

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: 164.308 Administrative

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

HIPAA Understood: An Introduction

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, … Continued

Social Engineering: Hacking the Human Brain

How do you hack a network with every modern safeguard and tool in place and a seasoned team of veteran professionals at the helm of your IT department? Surprisingly enough it doesn’t take that much. After all, who needs to be an all-star hacker looking for a small crack to wiggle through if they can … Continued

The Equifax Hack – A Huge Deal

Important Updates 9/13/17  – Since the last posting it was discovered that Equifax had the default login credentials of “admin” for user and password on an Argentina server which exposed the personal information of 14,000 employees. 9/14/17  – The actual exploit that disclosed the 143 million US credit records was CVE-2017-5638. It was announced/released March … Continued

Cybersecurity Cultures Aren’t Built in a Day

Do your users look at every link in every email with suspicion – even if it appears to come from an internal email address?  Do they look at each social media link as a potential danger to the well being of their friends and family? Or do they think it’s crazy they can’t share the … Continued

ePHI – Most Valuable Data Records Sold on the Dark Web

“HIPAA Security Officers – Your networks really ARE the PRIMARY target of the ‘Bad Guys’, ‘Bad Actors’, ‘Hackers’, etc. Whatever you want to call them, make no mistake – you are charged with safeguarding what they want. Do your security countermeasures rise to the level of the threat or are you simply content with being … Continued