We also continue our series today on improving your organizations cyber security documentation. We have looked at Vendor Security Questionnaires and the Acceptable Use Policy, today we are going to start the process of data classification.
A Data Classification Policy is in place to detail why data classification should be done, and to establish a framework for classifying data based on its sensitivity, value, and criticality to the organization.
You want to break out roles and responsibilities, typically with a Data Owner, Data custodians, and Data users. The owner is typically the department head or business owner that is responsible for the security of the data, whereas data custodians are typically your IT department or vendor. Data users would then be all of the users that can or do access the data.
So I would start with your network share drives, and identify an overall impact level and classification label. Typically, your impact level will be a high, moderate, or low. The classification label should be something like restricted, confidential, public. You create this so you can have more impact levels or classifications, but it has to make sense to you and your data custodians.
Next you want to build a guideline on what makes data fit into the impact and classification labels. Again the goal is for the data owners to classify the data, so your guidelines here ensure that the data gets labeled correctly.
The guidelines should also cover and ensure that data that contains authentication information, Electronic Protected Health Information (ePHI), Payment card information (PCI), or other Personally Identifiable information (pii) is labeled as restricted and high impact.
You can find a sample data classification policy as well as other policies we’ve covered at TheMorningBreach.Com under Resources, template downloads.
This is a great policy to get started on today, as a champion of Data Privacy Day through the National Cyber Security Alliance, we are trying to help you “Respect Privacy” by ensuring your cyber security policies are up to date and designed for the current state of the world.
