Analecta Cyber Company Blog: Data Classification 101: Protecting Data Based on the Function It Serves

2018-08-28

Data Classification 101: Protecting Data Based on the Function It Serves

Data Classification 101 - The Basics - Analecta LLC Graphic The NIST Cybersecurity Framework calls upon business owners and IT managers to ensure that “resources are prioritized based on their classification, criticality and business value.” Classification may be simple to understand in terms of hardware and devices, but may not be intuitive when it comes to data. 

What is data classification?


Companies collect a multitude of data each day based on business transactions. Emails, customer queries, orders, inventory database information are but a few types of traffic that pass through your company’s network and need to be protected, often in different ways. Data classification is the process of breaking down the data into functional categories so you can manage and protect it properly.

Types of data


You need to understand what types of data you have on hand in order to protect that data correctly. To do this, try breaking the data down into the function it serves. NIST Special Publication 800-60 categorizes data into how it is used by businesses. Here are just a few of the many categories and example companies/entities that fall under these categories.
  • Customer Services - The data itself is the product:
    • Health Care
    • Education
    • Economic Development
  • Service Delivery Methods - Additional data that supports the process of getting the product to the consumer:
    • Research and Development
    • Regulatory Compliance and Enforcement
    • Credit and Insurance
  • Support Functions - Data that supports day-to-day activities necessary to maintain operations:
    • Revenue Collection
    • Internal Risk Management
    • Planning and Budgeting
  • Resource Management - Data related to back office support activities:
    • Human Resources
    • Supply Chain Management
    • IT Management
In fact, the NIST guidelines give 26 distinct subcategories of data with 98 associated data types within these subcategories. You have a vast array of choices when it comes to how to classify your data. If you examine the types of data used in your organization and the data doesn’t fit into any of the subcategories, don’t worry! Evaluate the data’s impact to your organization and protect it accordingly. It is more important to understand the value of the data than it is to make it fit into one of the categories.

The Government uses an information classification scheme to keep track of specific documents and how valuable they are with respect to the information they contain. This, in turn, classifies how they are protected, which parties have authority to access their contents, and more importantly, which parties should not have access.

Protecting different types of data


Your organization’s risk assessment is the key to understanding how data needs to be protected. It contains input from the company’s stakeholders regarding which data needs more stringent protection due to regulatory guidance, the data’s impact on business function or risk of loss. The end goal of data classification is to understand how best to protect your data from unauthorized access, misuse and loss.

Damage caused to your small business if you lost control of the data


Here is a streamline approach to data classification. Organize your data into three categories based on the damage caused to your small business if you lost control of the data:
  1. Business Killer - Loss of this type of data will cause irreparable damage to your business, possibly forcing the company to close its doors permanently. Long term records and any records protected by regulations with financial repercussions fall into this category. This is your first priority when planning your data protection schemas. Keeping this data separate and restricting access to it is a must. Full disk encryption is important for all data, but vital for this type of data. Ensure you protect the data at all phases of the IT system life cycle - especially when the systems are decommissioned!
  2. Moderate Impact - Loss of day-to-day operational business data will cause a delay in orders, irritate customers and possibly increase immediate costs. However, it will not shut down the business. Keep transaction data secured with firewalls, intrusion detection/intrusion prevention systems and databases with up-to-date security patches to prevent malicious hackers from gaining access.
  3. No Impact/Public Information - This type of data is already publicly available and can be in the form of marketing materials and your public facing website. There is little-to-no business damage if this data is compromised. However, keep these systems up-to-date with security patches, have real time backups and control who has access to the data. 
Hackers continue to target high-value, business killer data like protected health information and personally identifiable information. In March of 2018, hackers gained access to 1.4 million patients records through an email phishing attack against UnityPoint Health, a network of hospitals in the Midwestern U.S. These records included diagnosis and treatment information, lab test results, and Social Security numbers. It is mandatory that data of this kind be identified and stored separately and securely.

Getting started on classifying your company's data

Most of the information you need to get started with data classification is in your risk assessment. Start by getting organizational leaders together and determine which business functions are critical. Identify those data types and any data that may need to be protected due to compliance regulations and laws.

Next, examine your network traffic flow to determine if you missed any critical data. Your industry may have their own information sharing and analysis organization (ISAO). Participate in these organizations and learn what other companies like yours do to protect their data. They may know industry-specific “best practices” and understand the nuances of your specific type of business.

Analecta Cyber Risk Assessment


Analecta can help you identify and protect your data, and your bottom line. Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com or visit our Cyber Security website.

Further Resources