Blog Home Page Next article:

Data Classification: Start Here!

About the Anatomy of a Cybersecurity Program Series

In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions to improve the posture of your own organization. No solution, remediation or mitigating countermeasure is one-size-fits-all;  however, I will do my best to provide information from a generic enough standpoint that you should be able to at least find value in the knowledge even if it is not relevant to your environment.

Updated September 05, 2020

Our Enterprise Security Risk  and NIST CSF Assessments often reveal that organizations overlook or simply give lip service to this critical aspect of cyber security.  A complete and comprehensive Data Classification Program is a direct or implied requirement of many compliance directives (HIPAA, PCI-DSS, FISMA, 800-53, etc…) and is a critical part of most security and governance frameworks include the NIST Cybersecurity Framework (NIST CSF) or COBIT 5/9/2019.

We regularly hear “We treat everything as the same” and “We regard all data as the highest sensitivity.” Really?  If this were the case, that would mean that everyone would have access to company executive salary and bonus information, and everyone would be able to access company financial records and proprietary information. As you can probably tell, while most organizations may not formally recognize the process, they do in fact have some form of Data Classification in place.

Data at each classification level will need to be treated differently or you will never be able to effectively meet compliance requirements while maintaining a business justified budget.  For example: Let’s imagine you are required to log all creation, access, modification, movement and destruction of a certain type of data in your network (ePHI, credit card data, etc.). Now, if your organization classifies all data the same, then you must set up logging and alerting every time anyone accesses a corporate template document or creates and saves a document anywhere on the network, including a local PC. In this example, your security logs just became useless due to the sheer number of entries and the storage requirements are beyond imagination.

Let’s also consider another example: geofencing. Many are using it to meet GDPR requirements or limit potential exposure. In this instance, if all data were classified and treated the same, every piece of information created in Europe could not be opened anywhere outside of Europe for any reason, regardless of whether the data contained GDPR restricted data. As you can imagine, this could cause a severe impact on business operations for organizations that operate across international borders outside of the EU.

A data classification program should be your first step to building a Cybersecurity Program. Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity. For example, data might be classified as : public, internal, confidential, restricted, regulatory, or top secret.

Data and information assets are classified respective of the risk of unauthorized disclosure (e.g., lost or stolen inadvertently or nefariously). High-risk data, typically classified “Confidential,” requires a greater level of protection, while lower-risk data requires proportionately less protection.

Large data stores, such as databases, tables, or files carry an increased risk, since a single event could result in a large data breach. In most data collections, highly sensitive data elements are not segregated from less sensitive data elements. Consequently, the classification of the most sensitive element in a data collection will determine the data classification of the entire collection.

The following table is an EXAMPLE of a Data Classification Table:

Data Classification Sample

Data Class Sensitivity LevelSample Data Types
Protection Level 03Extreme• ePHI/PHI
• Intellectual Property
• Company Financial
• GDPR Data
• Master Password Files
Protection Level 02High• Security Logs
• Firewall Configuration
• Router/Switch Configurations
• Employee Social security number
• Driver’s license number, State identification number
• Financial account numbers, Company credit or debit card numbers and financial account security codes, access codes, or passwords
• Employee health insurance information
Protection Level 01Moderate• HIPAA BAAs
• Internal IP Address
• VLAN Information
• Company Policies
• Personnel Roster
• Org Charts
• Customer Contact Lists
• Company and Customer Phone Posters
Protection Level 00None• Open Jobs
• Public Company History
• Associate Physicians
• Published Research
• Specialty Research Areas
• Service Locations

As well as being a critical first step in any Cybersecurity Program, Cybersecurity resources are nearly always in short supply: people, tools, servers, time.  Data Classification makes it possible to focus your resources and efforts where they be the most beneficial to your organization.

Until you complete this critical step, your Cybersecurity Program is using a “spray and pray” approach which is sure to leave holes and waste precious cybersecurity resources.