Tips for creating a data classification policy

Before deploying and implementing a data loss prevention product, enterprises should have an effective data classification policy in place. Expert Bill Hayes explains how that can be done.

A good data loss prevention program depends on administrative controls and technical controls, such as data loss protection software. By themselves, the technical controls are of little use unless an organization's employees understand how sensitive information should be handled.

A data classification policy provides a way to ensure sensitive information is handled according to the risk it poses to the organization. All sensitive information should be labeled with a "risk level" that determines the methods and allowable resources for handling, the required encryption level, and storage and transmittal requirements.

In business, it's common to use at least three risk classification levels to label sensitive information: public, "business use only" and confidential.

Public classification

The public classification label applies to information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without risk of harm. Any information that is produced for public consumption -- such as news releases, job announcements, and sales brochures -- are good examples.

'Business use only' classification

The "business use only" classification label applies to information that is used in business processes, and the unauthorized disclosure, modification or destruction of which is not expected to seriously affect the organization, customers, employees or business partners. Any information that is used in routine business matters -- such as internal policy manuals and company phone lists -- are good examples.

Confidential classification

The confidential classification label applies to information that is used in sensitive business processes, the unauthorized disclosure, modification or destruction of which will adversely affect an organization, its customers, employees or business partners. Examples of sensitive information include intellectual property, contract negotiations, most personnel matters, personally identifiable information, protected health data, bank account numbers and payment card information of customers and employees.

Secret classification

A data classification policy provides a way to ensure that sensitive information is handled according to the risk that it poses the organization, the types of sensitive information handled by the organization and compliance requirements.

Some organizations add an additional level, such as "secret" or "highly confidential" to label extremely sensitive information business processes, which the unauthorized disclosure, modification or destruction of would seriously harm the organization, its customers, employees or business partners. Examples for health organizations include medical records relating to mental health, sexually transmitted diseases, HIV testing and substance abuse. Examples for other organizations include documents used in mergers, strategic plans and litigation.

Making distinctions

Likewise, it may make sense for an organization to make a distinction between the sensitive information of customers and employees versus the sensitive information that applies only to company business processes. Classification labels, such as "personal confidential" and "business confidential" can be used in these instances.

Rather than developing one overarching data classification policy, break up it up into several policies with associated procedures used to implement the policies.

Further guidance

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publication ISO/IEC 27002:2013 8.2.1 provides further guidance for handling sensitive information, as does NIST special publication NIST 800-60 volumes 1 and 2, Guide for Mapping Types of Information and Information Systems to Security Categories. Shon Harris discusses how to document data classification.

Provisions in supporting policies and procedures should be made for the encryption of sensitive information, where it is stored, and access rights for employees and business partners. There should also be some way to downgrade information from one classification to another. For instance, a news release about an important product may be considered confidential information until the information is released to the public. Finally, an organization should have methods for auditing its data classification policy and procedures.

Developing an effective data classification policy is vital in identifying sensitive information assets to monitor and protect. Classification should be built around the types of sensitive information an organization handles, and conform to compliance directives for these sensitive information types. When an organization puts an effective data classification plan in place, the employment of DLP technical controls become much easier to implement.

Next Steps

Discover how data classification is fueled by e-discovery, storage tiering

Learn how to conduct a data classification assessment

Dig Deeper on Data security and privacy