NYSTEC

• About NYSTEC
  • Practice Areas
  • Management
  • CEO's Letter
  • NYSTEC History
  • NYSTEC Clients
  • Health Care IT
  • Federal Labs
• The NYSTEC Difference
  • Why Choose an Independent Advisor?
  • Your Trusted Advisor
  • The Not-for-Profit Advantage
  • Certifications
  • What NYSTEC Can Do For You
  • Case Studies
• Business Inquiries
• Federal Labs
• Contract With NYSTEC
• Related Links

Data Classification: A Cornerstone of Information Security

November 3, 2008

by Ed Kopp, Market Assessment Specialist, NYSTEC

The Library of Congress in Washington, D.C., holds around 32 million books and other printed materials, 61 million manuscripts, and 12 million photographs.  It took more than two centuries to compile all of this material, yet each day organizations worldwide now create new data amounting to 100 times the Library’s entire collection.  Just as the Library of Congress holds valuable books and manuscripts that cannot be freely viewed by the public, organizations retain ever-increasing stores of valuable information that would cause great harm if made public.  Data classification can help secure this information.

“Organizations today are generating so much information that they need to develop a strategy to secure it throughout the information’s life cycle,” said NYSTEC consultant Slawomir Marcinkowski.  “Data classification is the first step in this process.  Data classification helps organizations control the cost of storing, managing, and securing information.  It also helps them determine the value of their data in order to establish cost-effective protection measures for security purposes.”

Data classification is defined as the categorization of data for its most effective and efficient use and protection.  Data classification is descended from the classification system first established by the British government in the 19th Century — when designations such as “Top Secret,” “Confidential,” and “Unclassified” were first conceived to protect sensitive documents.

Information used by organizations today is governed by myriad laws and regulations, such as the New York State Information Security Breach Act, the Health Insurance Portability and Accountability Act, and the Family Educational Rights and Privacy Act.  Different laws govern the use and dissemination of financial data, medical information, educational records, and other data.  As a result of such laws, many government agencies are now required to perform data classification to enhance their information security.

“By assigning each information asset to a classification category and establishing controls for each category, information can be secured in a much more efficient and cost-effective manner,” said Marcinkowski.  “For government agencies, classification involves identifying data that is sensitive to the organization and the citizens it serves, assigning each file or file grouping a classification, and applying controls based on the assigned classifications throughout the information life cycle.”

So how does an organization go about this process?  According to Marcinkowski, data classification involves six major steps.

1. Establish a data classification standard – “The organization must first develop a standard to specify the sensitivity of information,” said Marcinkowski.  “At NYSTEC, we work with the agency to interview key users and evaluate the data and metadata.  After we’ve begun this process and achieved a sufficient understanding of the data, we develop a classification scheme.  Usually no more than four categories are necessary, such as ‘Restricted Confidential,’ ‘Confidential,’ ‘Internal Use Only,’ and ‘Public.’  Controls are established for each category to ensure that information is adequately protected.  Also, it’s important early in the process to get a buy-in from top management, because the project won’t succeed without it.”

2. Assign ownership – “Each piece of information is assigned to an owner, typically the individual or business unit that creates the data,” said Marcinkowski.  “The information owner is ultimately responsible for classifying the information, and often for approving or disapproving its dissemination.  In addition, the information owner must ensure that the controls governing classification at a certain level are implemented and working as intended.”

3. Classify information assets – “During this stage, the organization assigns a classification to each information asset or, more typically, to each data grouping.  This is an intensive process and requires a full commitment from the organization in both time and effort.  It’s important to involve employees who use and understand the data, and who know where the data originated or is stored.  The organization must determine if any laws, regulations, or agency policies predefine the classification of each data type.  Also, participants must carefully assess each asset and judge the impact if it were compromised.  Then a classification is assigned.”

4. Maintain a record of classified assets – “Agencies must establish and maintain a record of each information asset and its classification, and keep this database in a secure, centralized location.”

5. Educate employees – “Each employee must understand the classification system and be thoroughly schooled on the internal controls assigned to each category.  Employees must also understand the consequences if privacy restrictions are not observed.”

6. Perform a continuous review – “The organization should institute a process to continuously re-evaluate its data classifications.  Changing circumstances such as new laws or new technologies will necessitate changes to assigned protection levels for some assets.  Over time, some data types may require increased protection, while others can eventually become unrestricted.  The reclassification of data should be an ongoing priority, and it must be driven by a coherent process.”

Data classification can serve as a cornerstone for an organization’s information security.  Because the process can be difficult, realistic expectations must be established at the outset.  But the consequences of not fully implementing a data-classification scheme can be severe.  Going through the process just might help an organization avoid a lawsuit, a security breach, or even a major disaster affecting business continuity.