How to get started with a good Data Classification Policy
Over recent months many organisations have transformed the way in which users access, process and store data. The number of channels now available to share information across multiple devices has risen to an unprecedented level – always connected, always available and easy to share through files shares, images and so much more.
What do we mean by a ‘Data Classification Policy’?
Before you can make a good Data Classification Policy you need to understand what is meant by the term. Ask different people and you’ll get a different answer. The globally recognised standard for Information Security – ISO 27001, discusses the requirement under its annex control A8.2 ‘Information Classification’, whereby it instructs that organisations ‘ensure that information receives an appropriate level of protection’ – however, that standard does not explain how you should do that, but is in itself, looking for evidence of four levels of confidentiality:
- Confidential (only senior management have access)
- Restricted (most employees have access)
- Internal (all employees have access)
- Public (everyone has access)
The more complex the organisation, the more levels that may be required. For example, an NHS Trust or a Central Government Agency will have access to citizen’s personal data, including medical histories and other highly sensitive information – however, they should not have access to other sensitive information, such as financial records.
In its simplest of terms, a Data Classification Policy is:
“primarily concerned with the management of information to ensure that sensitive information is handled well with respect to the threat is poses to an organisation……A Data Classification Policy, is the personification of an organisation’s tolerance for risk”
Data Classification is a vital component of your Information Security and Compliance strategy – in order to classify it, you need to know what information you have and where it resides.