How to get started with a good Data Classification Policy

Over recent months many organisations have transformed the way in which users access, process and store data. The number of channels now available to share information across multiple devices has risen to an unprecedented level – always connected, always available and easy to share through files shares, images and so much more.

What do we mean by a ‘Data Classification Policy’?

Before you can make a good Data Classification Policy you need to understand what is meant by the term. Ask different people and you’ll get a different answer. The globally recognised standard for Information Security – ISO 27001, discusses the requirement under its annex control A8.2 ‘Information Classification’, whereby it instructs that organisations ‘ensure that information receives an appropriate level of protection’ – however, that standard does not explain how you should do that, but is in itself, looking for evidence of four levels of confidentiality:

• Confidential (only senior management have access)
• Restricted (most employees have access)
• Internal (all employees have access)
• Public (everyone has access)

The more complex the organisation, the more levels that may be required. For example, an NHS Trust or a Central Government Agency will have access to citizen’s personal data, including medical histories and other highly sensitive information – however, they should not have access to other sensitive information, such as financial records.

In its simplest of terms, a Data Classification Policy is:
“primarily concerned with the management of information to ensure that sensitive information is handled well with respect to the threat is poses to an organisation……A Data Classification Policy, is the personification of an organisation’s tolerance for risk”

Data Classification is a vital component of your Information Security and Compliance strategy – in order to classify it, you need to know what information you have and where it resides.

First steps to defining your Data Classification Policy

The first step to defining a Data Classification Policy is to define sensitive data within your organisation and establish rules for its protection. Meaning what? Well, the European Commission defines this as data that:

• Reveals racial or ethnic origin; political opinions; religious or philosophical beliefs; sexual orientation
• Trade-union membership
• Genetic data, biometric data processed solely to identify a human being
• Health-related data

So, before you look to protect your data, you need to understand what you have, where it’s stored, why you have it and who has access to it.

Once you’ve understood this part, you should then look at understanding its true value to your organisation – what do you define as business-critical and sensitive.

Next comes how you treat the data – where is it stored; who has access to it; how long is it retained for – a key point here is to look at each block of identified data and ask the question ‘What would happen if we lost it?’

What could happen if you lost it?

• Intellectual property – product designs, pricing strategies, blueprints, formulas, strategic plans. Contracts and agreements, regulatory documentation, investment data.
• If it was made publicly available – would it harm your reputation, your customers, staff, suppliers? Would it put an individual’s privacy or security at risk?
• If it made the press – regulatory and financial damages, brand reputation, privacy & data law implications, compliance and regulatory body controls?
• Financial damages – lawsuits, share price, job losses and more.

Now we understand our data – we need to classify the data.

Five steps for Data Classification

Data Classification should always be user-driven – that is to say, data classification involves the user(s) attaching appropriate identifiers or labels to any message, documentation or file they create, handle or store. This gives the data a ‘value’ which allows other users to understand how to handle that data.

Classifying data by its value to your organisation can support your development in the creation of more data-centric, security controls to support safeguards against accidental loss and reduce risks associated to data loss.

Introducing classification tools to implement the approach allows data security controls, rules and policies to be better enforced and adopted across your organisation – giving clear, consistent electronic markings. For example, emails labelled ‘commercial in confidence’, ‘internal only’ or ‘public’ and then by aligned rules alongside the classification to ensure no accidental mishaps send sensitive information incorrectly.

These tools are seamless and form part of any standard office productivity applications, like Microsoft Office and Outlook, to ensure that classifying messages and files is easy, clear and unobtrusive.
As you embark on Data Classification Policies, here are five easy steps:

1. Identify – define your sensitive and highly valued data
2. Discover – where does it reside and who has access to it?
3. Classify – define your data based on its value to your organisation
4. Secure – align the right security controls and measures to ensure integrity
5. Monitor – measure and review as part of your security controls for best practice

Where to start?

Firstly, we’d say, ‘keep it simple’ – where possible look at investing in technology such as:

• Data Leakage/Loss Prevention
• Right Management Software
• Document/Control Management

But before you start to classify your data, it’s important to ignore the technology – this should come after you’ve defined your policies and processes. Map documents into ‘types of documents’ in distinct groups by using just two key areas:

1. The sensitivity of the document
2. The intended audience

Using the above two areas will make up the foundation of your Data Classification Policy.

It is worth noting here too, that many organisations have ‘classifications’ in place, but they are often created, implemented and then forgotten – this needs to be a living document and made available to all within your organisation.

The foundation of any Information Classification Policy is about categorising information. Here are just a few example document classifications that will fit most business requirements:

• Public – Those documents that are not sensitive and there is no issue with release to the general public i.e. on a website
• Confidential –  Documents only to be viewed internally or with third parties that have signed a non-disclosure agreement
• Employee Confidential – Documents only to be viewed by employees at the company
• Management Restricted – Documents only to be viewed by the senior management at the company
• Private – Documents which contain personal information (useful for managing GDPR compliance)

We recommend, as a general guide that you don’t go over 10 classifications because classification should be as simple as possible and if possible four or five is best. If you find that you have too many classifications, consider only looking at sensitivity or only looking at intended audience to begin with then filling in any gaps.

Build a Team

This is not the job for just IT – a Data Classification Policy needs board-level support to ensure the business buys into and uses it. Once you have this, you should form a team which includes key departments in the business to enforce the policy.

This team may include people from technical, legal, procurement, HR and any other departments that are suitable for your industry. An appropriate team will be able to protect a business from security breaches whilst letting people access the information they need. And going back to the start of this blog, while important, the technical solution should be the very last point to consider.

From here on, it’s about taking steps as a team to:

• Assemble – Assemble your team – this is comprised of those members within your organisation that represent a cross-section for example, IT & Services, HR, Procurement etc. It is also important to remember that your leadership must be onboard otherwise this will fail from the onset.
• Design – your data classification requirements based on each department and find the most common ones – remembering that a maximum of 10 is recommended but around four or five is preferred. Now design and write your Data Classification Policy that meets your business requirements
• Enforce – this is now where you assume an aspect of control, that is standardised across the whole organisation – ensure all staff are made aware and where possible, look to now align technology as a means of automation.
• Educate – sending an email to say ‘here it is, please read it, isn’t enough! Hold a webinar, take your staff through the data classification with guidance on when to use either manually on via technology or that ‘classified’ doesn’t work on all documents.
• Control – Review your rolled-out controls. Are they working? Do they need amending? Is the policy still relevant? Enforce control through supported learning
• Review – Is this policy now part of your policy review? How often? Is it version controlled? Does it still meet your requirements for any new markets you’re serving, and does it meet any changes in legal and regulatory requirements?

A ‘Data Classification Policy’ is a key policy within your governance and safekeeping of your staff, customers and suppliers. Protecting data in line with legislation such as the DPA and GDPR are important.

The creation and review of a Data Classification Policy will support your organisation in understanding the data and in turn, will support you in understanding valuable data, sensitive data in line with retention strategies and more.