Data classification is important part of the ISO 27001 and Enterprise Security Governance. Data classification will set labels and categories to the given data types. These types will be used to set secrecy, sensitivity, confidentiality levels. If we set all data high security level or classification this will create high cost and operational complexity and expense. So we should classify and categorize them appropriately accord to organization needs, situation etc.
Benefits Of Data Classification
In this part we will list the benefits and profits of data classification and categorization
- Demonstrates organizational commitment
- Assist Identifying assets
- Help protections mechanisms creation
- Used in compliance or legal issues and standards
- Helps defining access levels
- Helps life-cycle management like retention, usage, destruction of data
How To Classify and Categorize Data
Data can be classified and categorized in different aspects. Here a list of them.
- Usefulness of the data
- Timeliness of the data
- Values or cost of the data
- Maturity or age of the data
- Lifetime of the data
- Association with personnel
- Data disclosure effect
- Data modification effect
- Authorized access to the data
- Storage of data
- Maintenance and monitoring of the data
Here the steps should be taken during the classification and categorization of the data.
- Identify custodian and define their responsibilities
- Specify the evaluation criteria how the information will be classified and labeled
- Classify and label each resource
- Document any exception
- Select security controls that will be application for each category
- Specify declassifying resources and transferring data to external entity
- Create enterprise-wide awareness about classification system
Common Data Class and Categories
There are different type of data classification and categorization levels used in commercial organization. We can provide some commonly used levels in this part
This is the highest level of classification. This type of data disclosure will create significant negative impacts on the organization
This is second highest level of classification. This type of data generally provides personal or important data for the organization.
Used for data that is more important than public data. This category data disclosure will have little effects to organization.
Public that do not need confidentiality and should be known by public.