In Domain #2, we discuss Asset Security, and following on Domain #1, recall that Data (or Information) is an organization’s key asset, and that the asset may exist in various forms – not just paper, but those digital assets. Also recall that there are several factors that should be included when determining the true cost or value of the asset to the organization.
How would Data Classification and Data Retention policy help an organization protect the privacy of the customers, as well as maintain the security of the organization’s information?
Duy Nguyen says
A Data Classification policy is how an organization manages sensitive information and the availability of this asset to authorized users. Inventorying and classification of this information helps in the prioritization of resources and protection. Simply put it helps an organization identify critical vs non-critical data and effectively focus and prioritize resource. In addition, it helps an organization understands how data is used, gathered, stored, and accessed.
Scott Radaszkiewicz says
Duy, I think you hit a key point when you say it’s simply identifying critical vs. non-critical data. If an organization, would at the very least, just do that, and take appropriate measures to keep the identified critical data secure, they would be in much better shape. I think too often, people get bogged down with securing EVERYTHING, and they don’t have enough time or resources to secure what is truly critical.
Jonathan Duani says
Duy,
Short and sweet response and I think it really sums up the question nicely. The statement you made about it simply is it helps identify critical and non critical data holds a lot of truth and with just that information they are able to properly secure the data.
Folake Stella Alabede says
A recent privacy law I can think of, which is one of the most important privacy regulations of recent is the European Union General Data Privacy Law – GDPR. (adopted April 2016 and enforceable beginning May 2018)
– It protects the personal data and privacy of EU citizens for transactions that occur within EU member states
– It regulates the exportation of personal data outside the EU.
– It says that companies must provide a ‘reasonable’ level of protection for personal data
– Companies that collect data on citizens in European Union (EU) countries will need to comply with the strict new rules around protecting customer data.
– GDPR applies to any organization operating within the EU, as well as any organization outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world needs to comply with the GDPR policy
This law presents risks to organizations especially those that collect data on EU citizens. Google was fined earlier this year, a sum of about $57 million, for failing to comply with GDPR.
It also represents risk in the sense that complying might not be as easy as it seems. Using my organization as an example, we are a processor as well as a controller, and we have been working on getting compliant for a few months by looking at the articles and domain breakdown using the COBIT framework, and it has been a really daunting task.
In addition, performing SOX 404 compliance audit for my organization’s subsidiary located in UK is presently at a standstill as we’re looking at how to receive data and workpapers from UK, without putting the organization at any risk by defaulting on any of the GDPR policy
Elizabeth V Calise says
Hi Stella,
I like how you incorporated your own perspective on how complying can be challenging. Reading about fellow classmates’ experiences can help put this perspective of how hard it can be to to be in compliance with certain regulations like the GDPR. As you mentioned, your SOX 404 compliance audit is at a halt, but it is a reminder that not only do you have to deal with the EU regulations but you you need to be aware of the country regulations as well. (Yes, I know UK is not part of the EU but her comment triggered the thought). Overall, this is not a walk in the park.
As someone who does not get involved in this type of work – Stella’s real examples help me understand better. Does anyone else in the class deal with having to be complaint with domestic and international regulations?
Elizabeth V Calise says
Data Retention explains how an organization keeps and secures its data. It also explains how long the data is kept and where it is kept. Data classification is how the organization categorizes its data. This could vary depending on the organization/industry but some examples are PI, HIPPA, program data, technical vs non-technical, image data, documentation data, data related to an incident, etc. Data classification policy can help an organization protect the privacy of the customers, as well as maintain the security of the organization’s information because it is going to get into the regulations about governing the data and who will and will not have access to it. For example, human resources will have access to PI, but developers of an application will not. Categorization of data implements limitations. Like necessary medical staff will have access to HIPPA data. Also, data classification can help with identifying how long you retain the data. Depending on the category of data, how long you will keep it is going to vary. You can say there is a correlation between data classification and data retention. When it comes to data retention, it is important to note that the longer you hold onto data, the more likely it is going to get loose. Narrowing the window of how long data can be stored, decreases the chance of the data being stoles. It is important to know when the data is no longer needed so then you can dispose of it.
Oby Okereke says
Hi Elizabeth:
Your comment on data retention drew my attention and I’d like to add that though you’re absolutely right with regard to the duration of time that specific data can be held. To buttress your point, one can say that it’s been a longstanding principle of European data privacy law that data should be held for “no longer than is necessary”. The foregoing statement supports your stance on disposing data but at the same time, it is also absolutely important to consider that much as an organization would prefer to dispose of data earlier as much as necessary, certain laws and regulations bars them from doing so. These data retention laws impose the finality statement as to how long data should be kept. All in all, organization’s should practice and implement good encryption and storage standards as well as a good retention policy.
Scott Radaszkiewicz says
Elizabeth, you are so right about authorized data access. Principal of least privilege, it’s a basic principal in theory, but in practice, it always seems like organizations are in too much of a hurry to get things up and running and not impede their employees. Too often I have come across systems where most of the users hold some kind of administrative user privilege to systems. Why? Because it was easy to setup. I think all the new data breaches and the attention it’s getting has increased the focus on this need to limit data access, hopefully things will get better.
Jonathan Duani says
Elizabeth,
I agree and like your statement about data retention about what you said that the longer a company will hold onto the data the better change you have of it getting out. I also like how you listen the different types of data. There are multiple different types of data, and it is important to consider all of them when it comes to retention policy and more important classification.
Sheena L. Thomas says
One factor in protecting the privacy of the data is to understand the data type and where and how the data is stored. You have to identify where customer PII and Employee PII is stored. Next, you have to break the data into categories such as confidential, sensitive and/or public, the system owners or security professional can now place the proper security controls around the data to protect the privacy of the data. Some of the controls consist of encryption (at rest and in transit), vlans, authorization and authentication.
Data Retention is a process of maintaining customer and/or employee data as long as it necessary, and then discarding the data it in a safe manner when the data is no longer needed or required to store. Following a data retention policy and/or procedures will ensure that the data is properly stored based on it’s classification and discarded properly based on the policy. Both methods will ensure the privacy of the data is maintained though the life and disposal of the data.
Jonathan Duani says
Sheena,
I think that there are different types of data besides PII. I think this classification will fall under all information in the network. I think it is important to look at the whole picture and there are many different types of information in an organization and i think they all needed to be looked and and secured accordingly.
Ahmed A. Alkaysi says
I agree Jon. There can be confidential data that is non-PII, especially if it comes to trade secret and propriety data. It is important to get the whole view of what the data is and what it means to the organization. This is done by working with the business counterparts and data owners to determine how it should be classified.
Ahmed A. Alkaysi says
Data retention policy is an important document that will define how long data can be kept before being purged, where, why, and how data should backed up, and what kind of data should be retained.
Data classification is an action that is conducted by data owners. They should rank the data based on criticality to business operations and its sensitivity. By ranking the data, the organization will be better prepared to implement controls to protect the data. The type and strength of the controls will be based on the criticality rankings of data.
Both of these items are extremely important to the security of the organization. By scoping out the data that is important for retention and risk rating them, the organization will be better prepared to secure the data and continue business operations in case an incident occurs.
Frederic D Rohrer says
Ahmed, good write up. I agree that data needs to be ranked first in order to protect it better. Similar to FIPS systems classification the data could be classified based on a CIA triad table. I think it is also important to mention that data has different states which do not apply to systems. Thus all data needs to be classified at least twice, in storage and in transit. It could be that relational information is not important in transit, but becomes important when stored with its relational counterpart – because only then can the full information be extracted.
Dima Dabbas says
Data classification and data retention policies are essential policies that organizations should implement to provide protection to their customers’ data. Data classification labels and classifies data based on its sensitivity, privacy and confidentiality. Data classification is essential as it is used to determine the type of security our data and assets needs. It is inefficient to treat the data equally in terms of security. Classifying and labeling the data ensures that the data is protected properly according to its label of importance and sensitivity. These labels are ordered based on the data similarities in terms of importance, value, sensitivity, size, etc. The benefits of having data classification in place demonstrates that an organization is willing to protect its valuable data, assets and resources which in turn makes employees more aware of that data that they are dealing and working with.
Data retention policy is as important as data classification. Data retention policies is the continued storage of an organization’s data for a defined period. Data retention ensures that important and valuable data for the organization is not deleted till a specific time. It also ensures that the data is destroyed after it is no longer needed. Having this policy in place, also helps in not over-storing the data as storage of data requires additional cost, security and resources.
Scott Radaszkiewicz says
I can’t agree more with your assessment of the benefits. Having data classification in place is the first step in understanding what data you have, and how you must deal with it. If an organization takes this first step in protecting data, then I think it shows they are committed to a strategy to protect their data. It’s like taking that first step!
Ahmed A. Alkaysi says
Hi Dima, overall I agree with you statement. However, I would say that its not just the customers data that is important to an organization. Non-customer data such as propriety information, trade secrets, or architectural diagrams are equally as important, if not, even more important than customer data. If there is a data breach and those are lost, it can mean the end of the business itself. Business and the data owners need to look at all the data/information used within the organization and classify it appropriately in terms of confidentiality and sensitivity levels.
Jonathan Duani says
Data retention policy is how a company keeps data around in a company and Data classification is how the data is secured. As long as there is a policy in place it could help protect the company in the long run as well as the customer. When it comes to data classification it is important to classify the data based on what is included. For example, a social security number would have a high level of data classification so that it could mean that it is secured better in the company. Furthermore, it protects the customer because if the company is making sure their customers data is secured properly it will keep the customer safe.
Data retention is also important because it makes sure that data is kept for a specific length of time when it is needed and and it is stored securely, then it is destroyed properly. Data is not kept longer then the retention period states so the company will stay in compliance.
Brock Donnelly says
Policies on data retention and classification greatly enhance an organizations fortitude in which its protection extends to its customers. Data Classification has the highest value to an organization when it comes to the customer and itself. Without the proper classification, all data would be miss handled or otherwise treated all the same. How would anyone know if something was worth saving, proprietary, top secret?
Without classification PHI and other PII could be stored on public a web page for company convenience. If treating PII similar to web data were to be a true scenario it would be disastrous for not only the company but also the customer. The embarrassment and loss of the company would be hard to measure against the suffering customer. Classification in the government space keeps millions from harm.
Applying classification to retention helps define storage duration, active and passive storage parameters and methods for destruction. Poor Data retention is more of a company weakness. Unless the aforementioned data scenario is leaked PII a failed or nonexistent Data Retention policy is less likely to harm the customer. In the most likely case poor data retention would lead to one of two highly plausible options; obscenely long data storage, perhaps infinite or swift data destruction. Quick data destruction could destroy current projects or company secrets. Long storage opens the organization to large monetary loss embarrassment and possible lawsuits endlessly tying up the legal system. The cost of storage for the data would also increase as systems would constantly need to be added for scale. Data Classification and Retention is necessary to keep intrinsic value to a defined data space or asset. These policies protect organizations most important assets; finances, reputation, and existence.
Elizabeth V Calise says
Brock
I like your take on a weak data retention being more of an organizational weakness than harmful to the customer. Some ways organizations can avoid the negative impact of a weak data retention policy is to help the employees of the company understand the retention requirements in regards to the various data types, create a records schedule that will describe the retention requirements for each type of information, synchronize the systems, processes, and individuals of the organization so that the data is kept in accordance with terms stated in the schedule and to monitor, review, update and improve the policy on a yearly basis,
This can also help avoid any monetary penalties an organization could possibly receive (civil, criminal and financial).
Folake Stella Alabede says
Data classification helps an organization protect privacy and maintain security as data classification includes assigning a value to the organizations data, and then protecting the data based on its classification; this helps to protect data confidentiality and integrity.
After data is defined and classified, an organization defines security requirements and then identify the security controls to implement the security requirements to protect data in each of the different categories/classification.
Data retention policy helps the organization protect privacy and maintain security as, the policy detailing the retention timeframe should be created using laws and regulations that are applicable to the laws of the states they do business in or best practices in general. This ensures that valuable data is not deleted earlier than is legally expected, and data is not retained longer than expected (the longer data is kept, the more it costs with respect to the media it is stored on, etc) Retention policies can reduce liabilities.
Ahmed A. Alkaysi says
One of the most important aspects of a data retention policy is how to get rid of, or purge, the data. Data remanance, which basically means the data left over after deletion, can be a huge issue. Just deleting or overwriting the data might not be good enough. Whole hard disk encryption or even the total destruction of the hardware that stored the data might need to be done in order to ensure total loss of data. This all needs to be included in the overall data retention policy.
Rommel R. Miro says
Data classification is essential to securing data. Without knowing and properly identifying the type of data you are trying to protect, you are also unable to assign value to it. However, data classification is not as simple as placing them in separate buckets. It has to be simple enough that it can be followed without being too complex. One of the benefits from this is that by grouping data, they can have similar security and compliance requirements. This, in turn, can foster standardized application of the needed controls across the organization. Doing so also provides an organization a starting point to properly evaluate storage, sensitivity, access and protection because some data are more important than other data. The data stores and warehouses that we have today is growing at an exponential rate. Hoarding data has also been helped by the downward trend in storage costs and well-developed backup and recovery implementations. By having a Data Retention Policy, an organization is able to avoid criminal, civil and financial penalties due to the varied number of local, state, federal and international laws that when coupled with industry restrictions, keep the legal counsel departments busy to ensure compliance. Some of these that place restrictions or affect the manner of data retention are Health Insurance Portability and Accounting Act (HIPAA), Gramm-Leach-Bliley Act, Sarbanes-Oxley Act and Securities and Exchange Commission rules 17a-3 and 17a-4. These laws aim to protect both consumer privacy and data in general. By reducing the volume of data needing proper storage and security, an organization should see cost-saving benefits thru efficiency alone. As mentioned in the guide, if an organization becomes involved in a legal dispute, the process of going through records to access stored material can quickly become an enormous and costly challenge.
Dima Dabbas says
Mel,
I think you hit the key points on why organizations should classify their data based on its value as well as having data retention policies in place. Organizations need to remember that security involves cost and that it is very important to secure the data that can have serious damage and impact on the organization if disclosed. Also, storing the data off-site following a data retention policy involves the organization being aware that the data is protected and marked based on its value to the organization. Data classification and data retention policies are not simple things to implement but they can benefit the organization significantly when done properly.
Ahmed A. Alkaysi says
Hi Mel, you bring up a great point regarding the efficiency of storing the data. How accessing the data after retention is equally important as to how to store the data itself. In a legal dispute, if forensics is involved, the data owners must be able to search for and provide data in a timely manner. There are some organization like Iron Mountain for example, that takes the responsibility of safely transporting, categorizing, and storing the data that needs to be retained for long periods of time. Many organization might just contract this to a third party like Iron Mountain, which makes it easier to store and retrieve data as-needed, due to the technology implemented by them and the contracting requirements.
Steve Pote says
You don’t need to secure what you never had.
There are more subtle degrees. The effort to secure “sensitive” and “private” in non-governmental organizations (NGOs) and “secret” in government agencies multiplied by how long you will need it would suggest you don’t gather anything you don’t need and don’t store it any longer than you must. Much as law firms are careful of retention of ~discoverable~ data, customer’s privacy is a liability when stored.
Hoarding dilutes focus.
The classification is irrespective of format.
Scott Radaszkiewicz says
Data classification helps an organization categorize its data and understand the importance of that particular data. Data classification looks at data in four possible ways: Confidential, Private, Sensitive and Public. Once data is classified, an organization can apply appropriate measures to protect that data. Protecting data can get costly. Weather it’s securing access or encrypting data, not all data needs to be treated the same way. Data classification allows appropriate measures to be taken to secure identified data that needs it. Classifying all data also allows for total picture of the companies data, so nothing is missed.
A retention policy helps to eliminate unneeded data, that is, data that we no longer need to worry about protecting. If you are storing an employees personal information, and your retention policy calls for deletion of that data 1 year after they leave the company, then you are not keeping data stored forever, and having to worry about expending resources to protect that data. While the data might still be confidential and need to be protected, in reality, it is no longer needed, as identified by a retention policy.
Sheena L. Thomas says
Scott I was drawn to your comment regarding “expending resources to protect the data”. this is so true. Most companies are always complaining about budgets, funding and resources. So, why not pay attention to the resources you are using to protect data that is possibly not needed. I would also be concerned with breaches, when it comes to data retention. Are we keep data that’s not needed and could possibly be exposed during a breach?
Dima Dabbas says
Scott,
You brought up an interesting point when explaining data retention. Organizations need to focus on their data retention policies and get rid of the data that is no longer needed based on this policy. This will eliminate the possible costs and resources that are assigned to secure this data. As long as the data retention includes the period that data is available, organizations should destroy or eliminate the data after that time period.
Frederic D Rohrer says
Data classification should be used to classify data based on its importance in the CIA triad. For example, data can be categorized as valuable for continued operation, valuable to the client or valuable for long-term operation (such as intellectual property). Data classification can then aid in system and procedure creation, to establish where sensitive data is stored and handled, and to restrict access. Data can extend from one medium to another, thus it is important that all assets, regardless of form or factors should be classified by administrative control schemata.
Data retention policies can protect from and fulfill legal requirements. They can also help in forensic activity, statistical analysis or privacy concerns. Retention policies should be designed to minimize impact on the client and the organization. Retention can often be challenging as it includes the rules for destruction of data.
Scott Radaszkiewicz says
Frederic, you are right with the challenges of data retention policies. Merely having a policy is not enough, it must be followed. A policy includes two key pieces, how long to hold the data and how to destroy it. If you have a data retention policy that states that after 2 years certain data is destroyed, but you don’t destroy the data, then it’s still vulnerable. Having the policy and following through with what the policy dictates is key.
Sheena L. Thomas says
I agree Fredrick, data retention can be challenging, however, I think a great assets mgmt tool, along with a data destruction policy and a deprovisiong policy and procedure could assist in this area. I worked for an employer that was heavily regulated by PCI & SAS 70 and as an Internal Auditor for the company, we never had issues with data retention. I think if more companies had to show proof of their enforcement of a data retention policy, the issue itself would be less challenging.
Jonathan Duani says
Frederic,
I agree that you should look at the data based on the CIA triad. I like how you mentioned that it could help design system. Designing the system around security is much better than have security as an after thought. If you start building something with security in mind the whole time it will be more secure than if it was an after thought