Thursday, July 12, 2007

Information Security Policy 101 – Data Classification Policy

I will forewarn you, data classification can be a real doozy. The policy is simple enough to write and the concepts are simple enough to sell, but adoption and implementation is usually a whole different story. If done well the benefits can far outweigh the risks.

The purpose for most data classification projects (yours may differ) is to identify the data that is sensitive to an organization, classify (or label) this data, and apply appropriate controls based on the sensitivity-label pair.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Data Classification Policy is to provide a system for protecting information that is critical to the organization, and its customers. In order to provide more appropriate levels of protection to the information assets entrusted to %ORGANIZATION%, data must be classified according to the risks associated with its storage, processing, and transmission. Consistent use of this data classification policy will facilitate more efficient business activities and lower the costs of ensuring adequate information security.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Data Classification Policy applies to all entities that interact with data in any tangible manner.

The %ORGANIZATION% Data Classification Policy applies equally to any individual, or process that interacts with %ORGANIZATION% Information Resources in any tangible manner. All personnel who may come in contact with Confidential information are expected to familiarize themselves with this Data Classification Policy and consistently use it.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Data Classification Policy
The Data Classification Policy differs from most other information security policies due to the additional information required. The Data Classification Policy will introduce new concepts, roles, and responsibilities.

Roles and Responsibilities:
The following are typical roles and responsibilities defined in the Data Classification policy:

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

- The Data Owner determines the appropriate value and classification of information generated by the owner or department;
- The Data Owner must communicate the information classification when the information is released outside of the department and/or the organization;
- The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
- The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian
- The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
- The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel

Data User
The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

Data Classifications
Confidential Data is information protected by statutes, regulations, organizational policies or contractual language. Managers may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the organization must be authorized by executive management, approved by a Vice President and General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Data include:

- Medical records
- Clinical trial data
- Credit card numbers
- Social Security Numbers
- Personnel and/or payroll records
- Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction
- Any data belonging to an %ORGANIZATION% customer that may contain personally identifiable information
- Patent information
- Regulatory filings

Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by %ORGANIZATION%, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include:
- Employment data
- Business partner information where no more restrictive confidentiality agreement exists
- Internal directories and organization charts
- Planning documents
- Contracts

Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to organizational disclosure rules, is available to all %ORGANIZATION% employees and all individuals or entities external to the corporation.

Examples of Public Data include:
- Publicly posted press releases
- Publicly available marketing materials
- Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure agreements.

NOTE: The policy MUST NOT define HOW data will be classified (or tagged), use standards, guidelines and/or procedures to communicate how the different types of data should be appropriately labeled.

SOME SAMPLE Classification Protections
- When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by %ORGANIZATION% IT Management must be employed.

- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
- Must be protected by a confidentiality agreement before access is allowed

In my experience, the Data Classification Policy has been the most difficult policy to create and receive approval on. The most common and valid question I receive is “How will we ever comply?” Compliance with a Data Classification Policy has proven to be extremely difficult is most organizations due to a number of primary factors:

- People do not want to assume the responsibilities that come with their role, primarily the data owner
- Labeling standards are sometimes extensive and time consuming to write
- Data is strewn throughout the organization without centralized management
- Classifications assigned will vary from data owner to data owner and management is not “cut and dry”

Understand that information security is a science of evolution and it will take time to get data classification properly implemented. This is expected and accepted. All things in information security should start in policy and data classification is no exception. Approval of a policy does not mean formal adoption and compliance (we will cover post-approval of policy in “Information Security Policy 101 – Policy Approval” due on 7/30).


TIP: Write your Data Classification Policy without worrying about the details of implementation, but at the same time make sure you will be able to implement each statement through the use of additional supporting documentation.

Next in the series: “Information Security Policy 101 – "Incident Management Policy”

Previous: Information Security Policy 101 – “Information Security Policy 101 - Backup Policy”

No comments: