Maksim Kabakou - Fotolia

Security Think Tank: Classification is the first step to personal data security

How should businesses go about setting up and maintaining a comprehensive and accurate inventory of personal data?

To set up a comprehensive and accurate inventory of personal data, the first step a business has to consider is classifying the information it holds.

Data, in all of its various forms, is a valuable and tangible business asset and, as with any other item of property, its value determines the level of protection it should be assigned. The reality is that a single protection standard uniformly across all of an organisation’s assets is neither practical nor desirable. Organisations need to apply differing levels of security in accordance with value.

Organisations should create processes to classify their data and determine the value of the data. This could be based on sensitivity to loss or disclosure or how heavily the company relies on that particular piece of data. They should also factor in any regulatory or legal compliance around particular formats of data, such as payment card information (PCI) or health information databases.

The individuals responsible for housing the data should, ultimately, be responsible for defining the level of sensitivity of the data. This approach enables proper implementation of the security controls according to their classification scheme.

There are several attributes that can be used to classify a piece of data:

  • Value: This is the most commonly used criteria for classifying data in the private sector. If the information is valuable to an organisation or its competitors, it needs to be protected.
  • Age: The importance of a particular piece of information may decrease over time. The Department of Defence, for example, automatically declassifies certain information after a pre-determined time period has passed.
  • Lifecycle: A company’s data can become obsolete for a multitude of reasons. This could include new information or substantial changes in the company. Information that has become outdated can often be declassified.
  • Personal association: If information is personally associated with specific individuals or is addressed by a privacy law, it may need to be classified. For example, investigative information that reveals informant names may need to remain classified.

There are several steps in establishing a classification system.  Below are some recommended stages, in order of priority:

  1. Identify the administrator/custodian.
  2. Determine how the information will be classified and labelled.
  3. Classify the data by its owner, who is subject to review by a supervisor.
  4. Specify and document any exceptions against the classification policy.
  5. Specify the controls that will be applied at each classification level.
  6. Specify the termination procedures for declassifying the information or for transferring custody of the information to another entity.
  7. Create an enterprise awareness programme about the classification controls.

Once an organisation has classified its data, it can easily keep it up-to-date. Different businesses, depending on size and market, will need to implement different processes. However, the very first step to keeping a database up to date is to first classify the information it holds. 

Yves Le Roux is co-chair of the Emea advisory council at (ISC)2.

Read more on Privacy and data protection