In this second part of our two-part blog we will discuss the requirements to correctly classify your data. Following on from part one once the identification and classification of your data has been completed you need to focus upon data handling.
Establish Data Handling Requirements
There are numerous forms of technical, operational and management controls that can be used in enforcing handling standards for sensitive information and high value assets. Organisations should define and maintain policies and procedures to govern the marking, labelling, handling, and storage of sensitive data.
Data handling requirements vary by classification and categorisation and should consider all applicable laws and regulations. For example, PCI DSS contains specific requirements for handling cardholder data. Your organisation should also carry out a risk assessment to identify the threats and vulnerabilities that impact your data and to identify any specific handing requirements and controls required to mitigate the risks to your data.
Marking and Labelling
Asset marking requires placing the relevant information in plain view directly upon the asset so that anyone can easily identify the applicable security classification of the information contained therein. For physical assets such as paper documents this is fairly straightforward. For information assets (data) the logical structure of the data must have a place where the label can be written, such as the document header or footer.
This process is known as labelling. The information used to mark the asset is most effective when grouped together and easily accessed on a digital or physical label, depending on the asset. Electronic assets can include markings and labels in document headers or footers, for example, while hard assets can include a physical label attached to the asset. When the value of an asset is known to users, they are better able to protect the asset based on its classification.
When a label is in clear view it is easy for users to identify the value of individual assets and manage them to ensure confidentiality, integrity, and availability according to their classification levels.
Handling
Organisations should have established policies and procedures in place that govern the handling of each category and classification of asset. These policies and procedures provide rules for accessing, transmitting, transporting, and using sensitive data and other critical assets.
Employee awareness and training regarding responsibilities for information handling is a significant part of any asset security program. Training should educate employees on the risks associated with becoming complacent about asset handling requirements. It is likely that, over time, employees handling even the most restricted information may become complacent, and data loss could be the result. The insider threat of an employee sending proprietary information to the wrong person or accessing sensitive data in a public coffee shop happens when employees become unconcerned about data handling policies and procedures.
Storage
Similar to information handling guidelines, information storage guidelines are critical to any organisation’s overall asset security management. When all sensitive information was paper-based, information storage security was as simple as keeping assets locked up behind suitable physical barriers. With digital information stored in data centres, on removable hard drives, on mobile phones, and in the cloud, asset storage can get complicated. In our digital age, there are too many ways for stored data to be stolen, leaked, or accessed by unauthorized individuals.
A major consideration for secure information asset storage is encryption. Sensitive data at rest should be encrypted, whenever possible. Attention must also be paid to the storage and safeguarding of the encryption keys themselves. This often requires the use of multiple-person integrity controls, such as those built into many hardware security module (HSM) systems.
Another consideration for secure storage is to limit the volume of data that is retained. Making sure to only store data that is needed limits risk to the organisation and reduces operational costs. In terms of risk, limitations on data storage also improve disaster recovery and business continuity. Access to data at short notice is more achievable if excess data is not impacting the overall recovery process.
The final consideration related to data storage is backups. Any organisation must establish clear policies and procedures that specify what data to backup and how it should be backed up. Additionally, you should establish and provide guidance related to how backup media must be secured and protected.
Declassification
Declassification is the process of modifying the assigned classification of an asset to a lower level of sensitivity. As data moves throughout its lifecycle, there may come a time when it no longer maintains the same value or sensitivity as when it was originally classified. The organisation must have a process to declassify data to account for this evolution. When data sensitivity changes from confidential to public, for example, marking, handling, and storage requirements have to be adjusted appropriately. If declassification does not happen, excessive and costly controls may remain in place, leading to financial and business efficiency impacts.
Declassification of assets requires thorough documentation and often multiple levels of approval. The data owner plays a vital role in this process, as they determine the classification level of the data and when it can change. There should be a data governance process within the organisation to determine whether there will be a manual review of data classifications. The organisation could choose to automate the process using rules and applications to find and reclassify data assets. Rules may be based on occurrences of specific events as determined by the data owner or the expiration of a maximum period of time.
Summary
Data classification helps organisations prioritise their data protection efforts to improve data security and achieve regulatory compliance. Data classification also helps to reduce costs and boost productivity.