Data is one of the most important assets for any organization. It is also extremely important for a business to classify its data. According to Varonis, data classification is the process of analyzing structured or unstructured data, and then organizing it into categories that are based on file type, contents, and other metadata (data that gives information on other data).¹

Data classification often involves a multitude of different tags and labels. These tags and labels help define the type of data, its confidentiality, and its integrity. Availability (the effects of data usage on available computer memory) is also sometimes considered in data classification processes. High risk data, typically classified as “confidential” data, requires a greater level of protection. On the other hand, lower risk data, such as “public” or “internal” data, requires proportionately less protection.

More on Types of Data Classification:

Public – this is information that can be open to the general population. It is defined as information with very little to no legal restrictions on its access or its usage. Public data can be made available for all people and workers. Some examples are:

• Publicly-posted press release,
• Publicly-available marketing materials,
• Publicly-posted job announcements;

Internal – this is information that should be protected because of exclusiveness, or for ethical reasons. Internal information needs to be protected from unauthorized access and modification. Some examples are:

• General employment data (e.g. salary information),
• Information on business partnerships where no confidentiality agreement exists,
• Contracts;

Confidential – this is information that contains a very high level of sensitivity and confidentiality. Unauthorized access of this data can result in legal action that can then negatively impact an organization. Some examples are:

• Bank information,
• Medical history or records,
• An employee’s sex, age, gender, and address;

Regulatory – this is information that is safeguarded by laws, and/or in compliance with various data privacy rules set by certain organizations. Data that needs to be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure, as stated by a regulating body or council, would be considered regulatory data. Data that needs to be destroyed when no longer needed to preserve confidentiality is also considered regulatory data. Some examples include:

• The Family Educational Rights and Privacy Act (FERPA),
• The Health Insurance Portability and Accountability Act (HIPAA);

How to Classify Data:

Data classification can be a complex and cumbersome process. The following steps are recommended for implementing a successful data classification policy.

1. Consider the confidentiality and security of the data to be classified.
2. The integrity of the data should be considered, as data from dubious sources is not trustworthy.
3. Data that requires high memory usage also requires resilient storage and networking.
4. Use an effective metadata strategy to properly describe, label, and tag the data.
5. Use data cleansing technology to remove redundant, obsolete, or trivial content.
6. Consider carrying out an information audit to accurately evaluate your data needs, then carry out classification designs based on the data audit results.
7. Monitor and update the data classification system regularly, making adjustments as needed.

Data classification can help you find the data that you need quickly, but it also has many other advantages. For example, data classification helps in extracting meaningful information from large amounts of data. Data classification also provides a better understanding of the data within the organization’s control, an insight of where that data is stored, the ways it can be accessed easily, and so on. Data classification provides an organized framework that facilitates strong data protection measures, and also promotes employee compliance with security policies.

Sources:

1. 8/11/2020, Jeff Petters Updated: “What Is Data Classification? Guidelines and Process: Varonis.” Inside Out Security, 11 Aug. 2020, www.varonis.com/blog/data-classification/.