Best Practices for Data Classification in Your Business

Posted on June 1, 2020 - by Darren Gallop - in Trends in InfoSec

best practices for data classification

Although all businesses handle data, data classification strategies vary from one organization to the other. How you decide to label and classify your data may depend on a constellation of factors, starting with what type of data you have.

In general, you’ll find that you have both external and internal data (also called public and confidential). However, not all data is created equal and some pieces will require more protection than others. How you determine what data needs special attention in your information security program will impact the way you organize and store your data.

Modern companies all handle a tremendous amount of data. We may have customer payment information, invoice records, email lists, order history, user data in software, or so many other bits of information. Companies need to keep this data organized and secure, but also accessible to the people who need it.

Data classification is an essential step for assessing risk at your company and creating a comprehensive information security strategy. You need to know what is your most sensitive data and where that is kept.

Here are a few best practices to consider when classifying data in your business.

Internal Data: The Proof of Processes

Internal data originates within your business and is typically generated as a result of regular business activities. Unlike data gleaned from external sources, internal data involves sources of information that aren’t available to the public. It must be protected due to proprietary or ethical considerations. This would include things like trade secrets or health data regulated by HIPAA. Only people with a legitimate reason to access it should be able to do so.

Internal data is what most people think of when discussing business intelligence. You can break your internal data down into three different categories:

1. General Internal Data

General internal data is information that is private because it simply isn’t relevant to the public. For example, internal data might include the company’s electricity usage for the building, its printer meter data, employment data that doesn’t involve identifiable information, or the identity of suppliers where a confidentiality agreement doesn’t exist.

In general, this sort of information likely doesn’t have any laws requiring its protection, but must be protected from unauthorized access, modification, or transmission to retain business integrity. Disclosure of this information would be inconsequential but might look bad for the company.

Best Practice: To prevent embarrassing mishaps or data breaches, encourage a culture of security in the workplace. Conduct security awareness training and encourage employees to take security seriously, no matter how trivial a piece of information may seem.

2. Confidential Information

The US Securities and Exchange Commission defines confidential information as non-public information that concerns any aspect of a company or the affairs of the party supplying the information that isn’t publicly available. In other words, it is information intended to be used by the business, for business purposes, and includes sensitive information related to the business or the provider. Some examples of confidential information under the SEC include:

  • Trade secrets
  • Procedures, specifications, or formulas for products
  • Financial information
  • Personal information like names, addresses, and credit card numbers

Confidential data must only be accessed by individuals with a legitimate reason, may have authorization requirements, and likely has laws governing its collection, use, storage, and transmission. The General Data Protection Regulation of the European Union is one such example of a law governing personal confidential data.

Best Practice: When it comes to confidential information, use a Zero Trust security model. Require users to authenticate themselves before connecting to internal networks or accessing systems containing confidential information.

3. Regulated or Classified Data

Regulated or classified materials are a subset of confidential information. These are pieces of data subject to regulatory compliance, such as HIPAA or another set of legal mandates. Breaches to this type of data will be accompanied by fines, penalties, lawsuits, or business damage.

Because of these serious consequences, it’s worth separating these in your data classification. This type of data may require specific types of storage, security, or transmission through specific channels. You should have strict policies regarding who can access classified data.

Best Practice: Perform frequent assessments on regulated data and the technology used to collect, manipulate, transmit, or store it. Updates or changes to technology may render a service non-compliant without notice. (This happens a lot with cloud services.) Ignorance is not an excuse for non-compliance.

External Data: Context and Competition

External data is generated either outside the company or within the company, but it’s generally publicly available for anyone who goes looking for it. There are many different sources for external data. Typically, these sources include things like surveys, research, customer feedback, and/or open sources like industry news blogs.

Possession of this data is frequently overlooked by companies and security information programs. According to a survey by The Silicon Review, 65 percent of respondents felt that external data was less valuable than internal data.

However, external data is critical to understanding your customers, market, and industry. It’s what provides context for internal data and empowers a company to differentiate itself in the competitive landscape. Therefore, it’s important to classify and protect data that a company collects from external sources.

Best Practices for Classifying and Protecting External Data

External data can prove just as important to your company as much as internal data. However, it comes with its own set of challenges. Ensure that external data remains useful to your company by considering classification systems that include:

  • Source: It’s important to vet sources to ensure accuracy and truthfulness. Using questionable sources invites harmful disinformation into a business, opening the door for risks stemming from misguided decisions. 
  • Real-time vs. historic: Classify external data as either real-time or historic to capture changes in markets, consumer preferences, or industries. This will help prevent you from acting on dated information while gaining a deeper insight into why a certain market feature exists.

Securicy Helps Implement Smart Data Classification

Good data classification is a foundation for keeping you company’s data organized, accessible, and useful. While there are many different dichotomies and ways to classify data, most companies will handle some sort of mixture of external/public or internal/confidential information. Additionally, internal data may occupy different levels of confidentiality, particularly once regulatory compliance enters the picture. Choose the classification system that best works for your data, and help it stay secure.

Need more help figuring out how to classify data at your company? Reach out to our team and learn how we can help you assess risk and build an information security program so good it will build trust and win customers.

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.