Data Classification

(OBJ 3.3)

Data Classification

• Category based on the value to the organization and the sensitivity of the information, determined by the data owner

Sensitive Data

• Information that, if accessed by unauthorized persons, can result in the loss of security or competitive advantage for a company
• This is the data that we need to be protecting
• Over classifying data leads to protecting all data at a high level
  • Do not waste valuable resources
  • Means you will spend more money, time, resources to protect all data
• There are two different classification schemes normally used by organizations:
  • Commercial Business
  • Government organization

Importance of Data Classification

• Helps allocate appropriate protection resources
• Prevents over-classification to avoid excessive costs
• Requires proper policies to identify and classify data accurately

Commercial Business Classification Levels

• Public
  • No impact if released; often publicly accessible data posted in an open-source environment
• Sensitive
  • Minimal impact if released, e.g., financial data
• Private
  • Contains internal personnel or salary information, data that should only be used within the organization
  • Information that relates to an individual entity (Private data definition)
• Confidential
  • Holds trade secrets, intellectual property (IP), source code, etc.
  • Affects the business if disclosed
  • Can only be viewed by approved personnel
• Critical
  • Extremely valuable and restricted information
  • Just a few trusted individuals have access to this data

Government Classification Levels

• Unclassified
  • Generally releasable to the public or under the Freedom of Information Act
  • Law in the U.S. that the public has a right to know information about their government
• Sensitive but Unclassified
  • Includes medical records, personnel files, etc.
  • Won't hurt national security if released, but would impact those whose data is being used inside of it.
  • Example: Soldiers Medical Record
• Confidential
  • Contains information that could affect the government
  • "Serious effect"
• Secret
  • Holds data like military deployment plans, defensive postures
  • Could seriously damage national security if disclosed
  • "Serious damage"
• Top Secret
  • Highest level, includes highly sensitive national security information
  • Would greatly damage national security if disclosed

Data life cycle

• "Data should not be stored forever"
  • Collect
  • Retain
  • Dispose
• Policies about data life cycle must exist within your organization
  • Example: Keep records for 6 months.
• Follow the local, state, and government laws and regulations for data retention time requirements

Legal Requirements

• Depending on the organization's type, there may be legal obligations to maintain specific data for defined periods

Documentation

• Organizational policies should clearly outline data classification, retention, and disposal requirements
• Note: Understanding data classifications and their proper handling is vital for protecting sensitive information and complying with relevant regulations