Challenges of Data Classification

September 1, 2016 JOE O'DONNELL

With the advent of the Digital Age, protecting data has become ever more paramount to the success of entities, both large and small. One of the most critical aspects of protecting information is that it requires data owners to classify what information is deemed critical for business operations. This process, for all intents and purposes, is usually labeled “data classification”, and can be a difficult one for the people in charge of protecting an entity’s most critical asset – its data. This article will identify some of the major challenges faced by government, private-industry, and personnel in-charge of information (commonly referred to as “data owners”), while analyzing ways they can mitigate and control these challenges to better serve their respective industry.

1. Labeling Critical Assets and Resources

Management Information Systems main goal is to better serve the needs of the business. Among the first questions, information security professionals should be asking themselves when tasked with classifying data is “What data does the business rely on most?” and “What information, if made public, would be detrimental to the business as a whole?” Asking these questions should be done through a formal and documented risk assessment, involving all aspects of management. The end-goal of a risk assessment should be to identify critical assets and the risks associated with the entity. This helps enable security professionals to better label which data is necessary. This, in turn, drives monetary resources spent to protect the given assets. One of the most common mistakes with labeling data is mislabeling. To overcome this risk, sound, experienced, and trusted professionals should administer the process while working with all levels of senior management, as well as key process owners to ensure proper resource allocation for protection.

2. Standardize and Classify

Oftentimes governments and businesses alike will use a hierarchy when classifying their data. While government standards are often much stricter than private organizations, the idea is essentially the same--where data deemed critical to the success of the business is grouped in the higher echelon of data, and data seen as less-critical is grouped in the lower. In practice, a company such as Coca-Cola would view the secret ingredient for their soda product to be one of the most closely guards secrets, proprietary to them. As they deem it critical to the operation of the business and the loss of said data would do damage to the organization, Coca-Cola might label the data as “sensitive”, considered the highest classification level to commercial organizations. In contrast, the company may consider some information related to the business as “public” or in other words, safe for the general knowledge. Resources spent on protecting critical information in most cases should far exceed that of information ranked much lower on the data classification scale. Mislabeling data can have numerous consequences, one of which is the misuse of resources. Security professionals should leverage industry best practices to find a data classification scheme that fits the scope of their business and protection needs.

3. Privilege Management

Once an entity has successfully classified their data into strata as described above, another challenge of data classification arises in the form of the question “Who should have access?” Information Technology professionals struggle with this concept as the rights of individual access to data can be the most difficult to control. Individual privileges should be appropriated based on the level of classification each asset has been given through the comprehensive nature of a risk assessment. “What information does this person or group need to perform their job function?”, should be one of the first questions asked when provisioning access to information. Authorized users should only have access to information that is commensurate with their job responsibilities. The concept of “privilege management” inevitably evokes a consideration of segregation of duties; the concept of separating tasks for a given process such that one person cannot perform the entire process unchecked (e.g., segregating the task of adding payees to the payroll system and printing checks). The risk of fraud and data loss is greatly increased when segregation of duties are not in place within an organization. The risk of segregation of duties is applicable to every industry, and the ability to access data should be carefully considered as a component of privileges management.

4. Maintain Compliance

Audits and compliance are often seen in two lights. One light, the helpful kind, can be seen by security professionals as a way for a third-party to analyze controls in place surrounding their data. A way for others to give their opinion, in essence, of the effectiveness of controls in place surrounding data which is often compared to a standard. The second light, the adversarial kind, is sometimes seen as a way for third parties to critique a system possibly designed by the professional being audited. Organizations that adopt the former better set themselves up to protect their data. As a point in case, a data breach is costly, both monetarily and to the brand, in comparison to the perceived nuisance that bi-annual or annual audit(s) present. Compliance with federal laws and regulations related to data are meant to assist, not be a detriment to the entities that abide by them. They provide a standard methodology for protecting assets and the information that keeps the proverbial engine running. As aforementioned, an optimal way to maintain compliance is to perform audits over the controls in place that protect the data, with due care given to critical data in the higher levels of the classification scheme. Knowledgeable professionals who are aware of the industry and applicable laws should be involved in the audit process to help ensure comprehensive coverage of the systems or processes being audited.

5. Business Continuity and Disaster Recovery

When disasters strike, the main concern is personnel safety and the continuation of business processes – in that order. The last thing information security professionals want to worry about when trying to recover critical operations for the success of business is the safety of critical data. An essential aspect of data classification surrounds the notion that data deemed most critical should be protected and stored, both logically and physically, in different locations. A formal, tested, and documented Business Continuity and Disaster Recovery Plan should be in place to help ensure that data is not lost or leaked in the event of a disaster. For example, organizations should consider “what if” scenarios and establish plans to mitigate the risks they present. A single point of failure inherently presents risks, especially with data that has been deemed critical to business operations. A business continuity plan could be largely ineffective if critical data cannot be recovered or if the occurrence of a loss in data confidentiality were to leak sensitive data.

6. Awareness

In the words of Kevin Mitnick, a renowned white-hat hacker, “Companies spend millions of dollars on firewalls, encryption, and secure access devices, and its money wasted, because none of these measures address the weakest link in the security chain.” What Mitnick is referring to in this instance is people. Where information technology has historically solved some of life’s most troublesome woes, the weakest link in the chain is and always has been people. As it pertains to data classification, security awareness training must take place for all individuals within an organization, giving people the knowledge and awareness of the classification levels of the data they interact with in their everyday jobs. In addition, awareness training must exist at every level to include their roles and responsibilities in a Business Continuity and Disaster Recovery Plan, along with how to handle various scenarios. It can be a challenge for companies to justify using resources to maintain a comprehensive security awareness program, but the benefits have been shown to outweigh the costs. It has the benefit of reducing the risk of people being the cause of critical data leaks, such as being the victim of social engineering.

Outlined above are some of the more basic, and yet complex, challenges associated with data classification. By no means is this list exhaustive; rather, it seeks to increase awareness, from process owners to executive management, of the criticality in data classification. Information is often considered a global currency, while companies, governments, and individuals are playing the role of personnel in a so-called “Information War”. While the concept of information warfare may seem asymmetric, the concept of protecting valuable data remains constant. The first step in protecting information assets is having a sound and resilient data classification process.

Previous Article
Picking between ISO 27001 or SOC 2
Picking between ISO 27001 or SOC 2

With the rising popularity of compliance efforts today driven by factors such as customer demand...

Next Article
Building a program? Better get your internal audit game right
Building a program? Better get your internal audit game right

Originally published at In the wake of several major data security breaches and in...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!