Data Classification and Handling: Protecting and Using Data

Having the right information available improves decision-making and allows for better allocation of resources. An organization that can obtain, enrich, and utilize data will have significant advantages over its competitors that can’t. Data can be a strategic competitive advantage. It is impossible to conceive an organization of significant size that doesn’t leverage data in its operations.

Wherever there is the potential to do great good, there is also the potential to do great evil. The potential for significant damage exists if data is not adequately protected. Public embarrassment, fraud, theft, and other crimes come from the misuse of data. Usually, we are only concerned with protecting data confidentiality, but losing access to data could also have serious adverse effects.

So the challenge is ensuring the appropriate use of data while safeguarding from abuse.

Some data types, for example, payment card data, demand and deserve the application of significant protections to prevent fraud. Other data types should have some protections applied, but making this data more accessible is needed for business reasons (for example, business intelligence and financial reports). Still, other types of data should be generally available (they pose no serious risks and are beneficial to large groups (for example, weather forecasts).

Protecting data can be expensive. Encrypting and decrypting data promptly requires significant resources. With some data, it is an appropriate safeguard. With other data is a waste of resources. Understanding your data and applying the right amount of protection is an essential process for most organizations.

There are two drivers for the protection of data, internal and external.

Internal drivers for protecting data include:

External drivers for protecting data include:

While you might negotiate with some partners, usually, most governments are not as malleable. It is essential to understand that compliance is the floor (not the ceiling). These requirements are the minimum.

The U.S. Military (who has a long history of needing to protect data) has three classification levels:

There is also an 'unclassified' category for data (used for data that doesn’t require special protection). The amount of damage that unauthorized disclosure of data would cause defines the classification level.

We recommend finding the right balance between appropriately protecting the data and overprotecting data. Too many data classification levels will confuse people. Too few will result in resources wasted and operations unnecessarily complicated.

Making data classification decisions every time someone collects or creates data is inefficient. Therefore, the recommendation is that data be classified when you decide to produce/consume it (upfront). This upfront classification enables all follow-on work and management associated with the data to be well understood and handled appropriately.

So this should be a one-time (or rare) process. The earlier one classifies a data type, the better (though later is better than never). Adding protections to data after you have accumulated it is more expensive (and onerous) than doing it from the start.

Once data has a classification, it should be clear to everyone involved in using said data what the requirements are. Handling requirements include:

If you don’t classify your data, it will become increasingly tricky to protect it appropriately. Information Security is about applying controls (protections) to your organization to enable its mission while adequately safeguarding it. Once you know what your data is worth (and how you want to protect it), then you can get to work (until then, you will waste a lot of time and energy and maybe still not adequately protect it).