Effective cybersecurity begins with a disciplined approach to data classification
With labels like confidential and top secret, data classification is mostly thought about in the context of the military or the government, but it’s also a critical piece of cybersecurity.
The function of data classification is to develop sensitivity labels for data and assign those labels for the purpose of configuring baseline cybersecurity based on the value of the data.
The reason to classify data is often misunderstood to be determining the sensitivity or criticality of digital information. While that is a result of data classification, the real purpose of data classification, is to is to drive the security controls applied to a particular set of data based on its classification label.
As previously noted in “Cyber Security Roles and Responsibilities” The data owner is responsible for determining the classification of the data and the the data custodian is responsible to maintain the data.
The 3 C’s for classifying data:
There are three key elements to classifying data for the purposes of cybersecurity.
- Cost: Determining the true value of data
- Classification: Creating criteria for determining the classification label
- Controls: Establishing baseline cybersecurity measures for each data classification label
Assessing the true value of data
The true value of any asset is rarely the sticker price. There are many factors to include to accurately place a value on a particular data asset. These factors can include:
- Importance to the organization
- Loss of revenue if compromised
- Legal or regulatory cost if compromised
- Value to competitors
- Acquisition cost
- Time required to create
Data Sensitivity vs. Data Criticality
Sensitivity is about privacy. It measures the likely damage done in the event the data becomes public. Health records are an example of highly sensitive data.
Criticality is about the timeliness of the data. It measures the likely revenue lost without the assets. Email is an example of critical data.
I plan to add future postings on the topic of cybersecurity and to expand on what I’ve outlined here. If you have any questions or if you feel like you have something to add, please leave a comment. You can also connect with me here: Connect with Jason