The Jason Clause Show

A business podcast about technology

Data classification is key to effective cybersecurity

By

Effective cybersecurity begins with a disciplined approach to data classification

With labels like confidential and top secret, data classification is mostly thought about in the context of the military or the government, but it’s also a critical piece of cybersecurity.

The function of data classification is to develop sensitivity labels for data and assign  those labels for the purpose of configuring baseline cybersecurity based on the value of the data.

Data Roles and Responsibilities
Let me introduce you to James, our Data Steward, Bill, our Data Custodian, and “Moose,” our Data Body Guard.

The reason to classify data  is often misunderstood to be determining the sensitivity or criticality of digital information.   While that is a result of data classification,  the real purpose of data classification, is to is to drive the security controls applied to a particular set of data based on its classification label.

As previously noted in “Cyber Security Roles and Responsibilities” The data owner is responsible for determining the classification of the data and the the data custodian is responsible to maintain the data.

The 3 C’s for classifying data:

There are three key elements to classifying data for the purposes of cybersecurity.

  • Cost: Determining the true value of data
  • Classification: Creating criteria for determining the classification label
  • Controls: Establishing baseline cybersecurity  measures for each data classification label

Assessing the true value of data

The true value of any asset is rarely the sticker price.  There are many factors to include to accurately place a value on a particular data asset.  These factors can include:

  • Importance to the organization
  • Loss of revenue if compromised
  • Legal or regulatory cost if compromised
  • Value to competitors
  • Acquisition cost
  • Time required to create

Data Sensitivity vs. Data Criticality

Sensitivity is about privacy.  It measures the likely damage done in the event the data becomes public.  Health records are an example of highly sensitive data.

Criticality is about the timeliness of the data.  It measures the likely revenue lost without the assets.   Email is an example of critical data.

I plan to add future postings on the topic of cybersecurity and to expand on what I’ve outlined here.  If you have any questions or if you feel like you have something to add, please leave a comment.  You can also connect with me here: Connect with Jason

Reader Interactions

Leave a Reply