Analecta Cyber Company Blog: Data Classification 101: Protecting Data Based on the Function It Serves


Data Classification 101: Protecting Data Based on the Function It Serves

Data Classification 101 - The Basics - Analecta LLC Graphic The NIST Cybersecurity Framework calls upon business owners and IT managers to ensure that “resources are prioritized based on their classification, criticality and business value.” Classification may be simple to understand in terms of hardware and devices, but may not be intuitive when it comes to data. 

What is data classification?

Companies collect a multitude of data each day based on business transactions. Emails, customer queries, orders, inventory database information are but a few types of traffic that pass through your company’s network and need to be protected, often in different ways. Data classification is the process of breaking down the data into functional categories so you can manage and protect it properly.

Types of data

You need to understand what types of data you have on hand in order to protect that data correctly. To do this, try breaking the data down into the function it serves. NIST Special Publication 800-60 categorizes data into how it is used by businesses. Here are just a few of the many categories and example companies/entities that fall under these categories.
  • Customer Services - The data itself is the product:
    • Health Care
    • Education
    • Economic Development
  • Service Delivery Methods - Additional data that supports the process of getting the product to the consumer:
    • Research and Development
    • Regulatory Compliance and Enforcement
    • Credit and Insurance
  • Support Functions - Data that supports day-to-day activities necessary to maintain operations:
    • Revenue Collection
    • Internal Risk Management
    • Planning and Budgeting
  • Resource Management - Data related to back office support activities:
    • Human Resources
    • Supply Chain Management
    • IT Management
In fact, the NIST guidelines give 26 distinct subcategories of data with 98 associated data types within these subcategories. You have a vast array of choices when it comes to how to classify your data. If you examine the types of data used in your organization and the data doesn’t fit into any of the subcategories, don’t worry! Evaluate the data’s impact to your organization and protect it accordingly. It is more important to understand the value of the data than it is to make it fit into one of the categories.

The Government uses an information classification scheme to keep track of specific documents and how valuable they are with respect to the information they contain. This, in turn, classifies how they are protected, which parties have authority to access their contents, and more importantly, which parties should not have access.

Protecting different types of data

Your organization’s risk assessment is the key to understanding how data needs to be protected. It contains input from the company’s stakeholders regarding which data needs more stringent protection due to regulatory guidance, the data’s impact on business function or risk of loss. The end goal of data classification is to understand how best to protect your data from unauthorized access, misuse and loss.

Damage caused to your small business if you lost control of the data

Here is a streamline approach to data classification. Organize your data into three categories based on the damage caused to your small business if you lost control of the data:
  1. Business Killer - Loss of this type of data will cause irreparable damage to your business, possibly forcing the company to close its doors permanently. Long term records and any records protected by regulations with financial repercussions fall into this category. This is your first priority when planning your data protection schemas. Keeping this data separate and restricting access to it is a must. Full disk encryption is important for all data, but vital for this type of data. Ensure you protect the data at all phases of the IT system life cycle - especially when the systems are decommissioned!
  2. Moderate Impact - Loss of day-to-day operational business data will cause a delay in orders, irritate customers and possibly increase immediate costs. However, it will not shut down the business. Keep transaction data secured with firewalls, intrusion detection/intrusion prevention systems and databases with up-to-date security patches to prevent malicious hackers from gaining access.
  3. No Impact/Public Information - This type of data is already publicly available and can be in the form of marketing materials and your public facing website. There is little-to-no business damage if this data is compromised. However, keep these systems up-to-date with security patches, have real time backups and control who has access to the data. 
Hackers continue to target high-value, business killer data like protected health information and personally identifiable information. In March of 2018, hackers gained access to 1.4 million patients records through an email phishing attack against UnityPoint Health, a network of hospitals in the Midwestern U.S. These records included diagnosis and treatment information, lab test results, and Social Security numbers. It is mandatory that data of this kind be identified and stored separately and securely.

Getting started on classifying your company's data

Most of the information you need to get started with data classification is in your risk assessment. Start by getting organizational leaders together and determine which business functions are critical. Identify those data types and any data that may need to be protected due to compliance regulations and laws.

Next, examine your network traffic flow to determine if you missed any critical data. Your industry may have their own information sharing and analysis organization (ISAO). Participate in these organizations and learn what other companies like yours do to protect their data. They may know industry-specific “best practices” and understand the nuances of your specific type of business.

Analecta Cyber Risk Assessment

Analecta can help you identify and protect your data, and your bottom line. Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at or visit our Cyber Security website.

Further Resources


  1. Great blog thanks for sharing Looking for the best creative agency to fuel new brand ideas? Adhuntt Media is not just a digital marketing company in chennai. We specialize in revamping your brand identity to drive in best traffic that converts.

  2. Nice blog thanks for sharing Growing your own plant comes with its own challenges and responsibilities. This is why you need a plant nursery in chennai who is ready to help you out throughout the way and guide you through the hurdles of growing a plant - Enter Karuna Nursery Gardens.

  3. Excellent blog thanks for sharing Pixies Beauty Shop is unlike any of the other cosmetic shops in Chennai. With tons of exclusive imported brands to choose from and the best value, this is the best shopping destination for your personal and salon needs.

  4. Awesome blog thanks for sharing While choosing your perfect ride for driving, Accord Cars comes with and the best packages for you to pick from. Self drive cars in Chennai are done the easier. Just pick out your plan from hourly, daily, weekly and even monthly plans available.

  5. Very useful blog thanks for sharing Pearls beauty lounge is the best beauty parlour in chennai. More than 30+ years experience in this field. When you come over at Pearl’s you don’t visit a just a beauty lounge, you are welcomed into an indulging experience which you’ll want to feel again and again. Our secret ingredient for your happiness is in going an extra mile to make you feel pampered.

  6. Awesome blog thankks for sharing 100% virgin Remy Hair Extension in USA, importing from India. Premium and original human hair without joints and bondings. Available in Wigs, Frontal, Wavy, Closure, Bundle, Curly, straight and customized color hairstyles Extensions.

  7. Very useful blog thanks for sharing IndPac India the German technology Packaging and sealing machines in India is the leading manufacturer and exporter of Packing Machines in India.


  8. Thanks for your extraordinary blog. Your idea for this was so brilliant. This would provide people with an excellent tally resource from someone who has experienced such issues. You would be coming at the subject from a different angle and people would appreciate your honesty and frankness. Good luck for your next blog!
    Tally ERP 9 Training
    tally classes
    Tally Training institute in Chennai
    Tally course in Chennai
    seo training classes
    seo training course
    seo training institute in chennai
    seo training institutes
    seo courses in chennai
    seo institutes in chennai
    seo classes in chennai
    seo training center in chennai

  9. White collar crime: this is a non-violent crime that is done by skilled professionals. As a cyber crime student you will focus on computer fraud. cyber security institute in hyderabad