Steal This Data

Every company, no matter how big or small, should have a data classification scheme that defines the level of protection required for all company documents, customer, and partner information.  This classification scheme is a fundamental component to information security and should cover both digital and non-digital data assets, such as contracts, invoices, copies of checks, incoming faxes, etc. In a hardware store, for example, a data classification scheme would identify the sensitivity of every piece of data in the store, from customer account information to supplier delivery receipts.

Most businesses adopt a data classification scheme that categorizes information along the following four dimensions:

• Company confidential
• Private
• Sensitive
• Public

A simple scheme like this facilitates improved data security because it clearly identifies and communicates the levels of confidentiality required for all data and the people who should have access to it. For example, a presentation or patent application that is labeled “Company Confidential” is clearly not meant to be distributed outside of a company.

Good data classification schemes should also include a time element that lets data change it’s classification after a specified interval and an owner, who is responsible for maintaining and protecting a specified data type or source.

Neglecting to implement adequate security controls for sensitive information can lead to increased corporate liability and regulatory censure. Without a data classification scheme, a company may treat all information the same, greatly increasing the chance of accidental disclosure or security breaches.

Writing a data classification scheme is not that difficult and I’ve supplied a sample template below that can help you jump start the process. Getting it implemented however, may require a substantial degree of organizational change, so it is best to get the buy-in of senior management before you start that process.

A Data Classification Policy Template