As we discussed in Part I of our data classification series, the regulatory expectation from both the SEC and the DOJ is that your firm will implement some form of a data classification system that will allow you to adequately protect your business’s sensitive information. In addition, a thoughtfully executed data classification system will assist you in successful implementation and utilization of the NIST Cybersecurity Framework. In this post we will take a look at developing a data classification schema that is both beneficial to your firm’s security posture and simple enough to be effective.
Every firm’s data security needs will vary, but if you have taken the time to aggregate and categorize the data that your firm collects (as we suggested in our first data classification post – here) you should have a good working knowledge of just WHAT your firm needs to protect. Your next step should be to determine HOW that data needs to be protected.
The first thing that we would always recommend is a close look at any applicable state and federal laws that quantify Personally Identifiable Information (PII). In addition, if your firm, for any reason retains Personal Health Information (PHI), or Payment Card Information (PCI), relevant standards for data security should be reviewed to ensure that your data classification system meets the levels or security factors necessary to meet your legal obligations. In the case of PII, we always recommend a review of Massachusetts, California, and Texas state laws for specific considerations. Even if your company does not have clients in these states, we recommend designing a system now that takes their specific considerations into account. You have the opportunity while you are designing your system today, to ensure that it will adequately address future concerns. Should your company choose, at some point in the future, to expand its operations to one of these states, you will find your system ready to go with little to no need for revision. In addition, states are becoming more stringent by the day. By adhering to the highest “law of the land”, you will likely find your data classification program adequate should a state within which you do have domiciled clients changes its privacy laws to reflect a more restrictive view. There is some hope on the horizon for the Data Security Act of 2015, which would create a unified standard that tied all state’s requirements together. For the time being, however, review and adherence must be based on the existing state standards.
Once you have taken the time to locate and categorize all your data, you are still left with the unenviable task of determining a classification schema that works for your organization. The goal here is to strike a real balance between security and utility. If you have too many classification levels your team will spend too much time trying to determine the proper classification for a given piece of information, or they may choose to ignore the classification schema all together. On the opposite end of the spectrum, if you choose too few categories you will end up inadequately protecting data, either going overboard and over-securing data, slowing its transmission and reducing its availability needlessly, or you will not protect the data enough, because adequate determinations do not exist.
In our experience, applying a three- or four-tier data classification system typically strikes the appropriate balance between security and utility, but it is dependent upon your organization and its data-flows. In some instances only two levels may be necessary, in some instances a more-varied data security hierarchy may need to be developed. The basic premise of categorizing the data by security needs will remain the same, however.
In order to properly determine your classification tiers we recommend a review of the Federal Information Processing Standards (FIPS) Publication #199, developed by the National Institute of Standards and Technology.
In FIPS 199, data security and classification are based upon the trinity of security objectives: Confidentiality, Integrity and Availability. Each of these three areas is further quantified by a potential impact: low, medium, and high. Each of your data classification levels should take into consideration these objectives and impacts. Essentially, you must ask yourself the following question for every piece of data you have: If this data were disclosed to an unknown party, would the result be bad, really bad or catastrophic. As you answer this question for each piece of data, you can begin to create your classification levels and design policy to support the various levels.
We note as well that some firms choose to implement a very low-level tier for publicly disseminated data, such as marketing pieces. In the case of such information and data where there is no impact to its release, a “public” classification level can be created. On the opposite end of the security spectrum, there is that data (such as PII, PHI, and PCI) that must be treated in accordance with laws and expectations, and typically is awarded a firm’s highest level classification designation. The data in the middle is what can be trickiest to categorize, and that is where we would recommend referring to FIPS 199 or other publications.
By this point you should have your classification system in order! In our next post we will discuss the administration and updating of a data classification policy, ensuring your firm is deriving the maximum benefit from your hard work.
For Further Reading: (links will open in a new window)
Federal Information Processing Standards #199
