In Domain #2, we discuss Asset Security, and following on Domain #1, recall that Data (or Information) is an organization’s key asset, and that the asset may exist in various forms – not just paper, but those digital assets. Also recall that there are several factors that should be included when determining the true cost or value of the asset to the organization.
How would Data Classification and Data Retention policy help an organization protect the privacy of the customers, as well as maintain the security of the organization’s information?
Vincent Piacentino says
Data classification policies analyze structured and unstructured data and organize it into categories based on the file type, its contents, and other metadata. Data classification protects sensitive data by setting risk levels. This ensures that only authorized users can access it and only for what they need. Data classification secures critical data and ensures compliance with a given industry’s regulations\laws.
Data retention preserves data for regulatory or compliance purposes and must be disposed of properly when no longer needed. Data retention policies specify how data needs to be formatted, what storage devices\systems are used, and how long these need to be kept considering regulations and laws. Data retention is complex and requires a continuous development approach in order to handle the growing amount, type, and sensitivity of enterprise data.
Data retention length of time varies by subject and examples are:
• Business documents – 7 years
• Accounts receivable\payable – 7 years
• Invoices – 5 years
• Human Resources – 7 years for employed, 3 if not hired.
• Tax records – 4 years after filing
• Legal correspondence – permanently
Vanessa Marin says
Great post, Vincent!
I completely agree. These two policies will work together to protect customers and stakeholders. I especially like your point that these policies can be complex and a continuous development approach must be taken. With IoT taking over the world and the ever increasing channels of data collection, many startup companies are not as cautious as they should be. Companies need to review their policies but also review their market, business processes, trends, and really anything that may impact data collection.
Vincent Piacentino says
Thank you, Vanessa!
I agree that companies need to take a good hard look at what they are doing!
With IT and business, there has always been a need for continuous evaluation and improvement. Nowadays, it is absolutely critical with the amount of sensitive information that is traversing networks. Attacks and tactics are always evolving too. Being vigilant and staying a step ahead is the plan because the wicked never sleep!
Rudraduttsinh says
Data is not just a risk. It is a crucial asset of the business. A business should have a policy about how it wants its employees to treat this asset. It should address how employees may create, store, transmit, protect, and dispose of data. While large, highly regulated companies can have multiple policies that address every nuance of data governance, not all companies need such a complex framework.
Data Classification plays a critical role in the organization’s security and compliance program. It provides a foundation for the data security strategy by helping you understand where you store sensitive data, primes, and the cloud. Further, it also assists in better management, boosting productivity, storage, and cost reduction. In a nutshell, data classification helps you understand what type of data you store and where it is located.
The other part of the Data is retaining it, be it for organizational use or regulatory reasons. Data retention policies concerns what data should be store or archived, where that should happen, and for what time. Once the retention time expires, it could be either deleted or moved to other
Mei X Wang says
Risk assessments of information assets should first start with data classification. A popular standard for data classification is the FIPs 199 Security Categorization. By classifying information assets by their impact level, the company could allocate adequate resources to protect the data based on the level of severity. If information is classified as high, then the organization would understand that the breach of said information would result in a tremendous loss to the organization. The data classification policy would help protect the privacy of the organization’s information because by classifying and assessing the data, adequate protection would be dispersed to address the risk.
Data retention would help protect the organization’s information and the privacy of customers because highlighting what needs to be kept, what can be disposed of, how long does it need to be kept, and more will help the organization differentiate what is absolutely necessary to facilitate business needs and what is excess information that can be disposed of. If an organization was to keep all their data, they would be wasting unnecessary resources storing and protecting the data. Having a data retention policy would also offer reassurance to stakeholders by establishing roles and responsibilities for nonrepudiation. Expectations of these roles will be outlined and employees would take ownership for protecting what has their name on it. Data retention policy would also offer transparency for how the organization’s information is protected and if they are up to par with industry best practices. (ex. with use of encryption)
Krish Damany says
Any organization these days, especially as we rely on using the Internet more and more, has a lot of data collection about both itself and the customers they serve. Having proper data classification and data retention policies in place will determine the best method to safely organize and store data. Data can be classified as two main types: sensitive and non-sensitive data. Sensitive data is typically classified data or confidential in nature, and should be stored in such a manner in which that data stays secure from potential leaks and/or breaches. Non-sensitive data is typically comprised of public and searchable data or business information that can be shared freely without any repercussions. Along with the different types of data, an organization also needs to make sure how long the data is kept and the method in which it is kept. A data owner can decide that certain gathered information is non-essential to the organization and can decide to filter out that data or decide to have it deleted within a specific time-frame, such as 3-6 months from initial storage. With the essential data, it needs to be stored and backed up in many different secure locations to make sure in the event of a disaster that that data can be restored to the systems and continue operations as before. Policies dealing with data classification and retention in place at an organization will greatly reduce the risk of breaches of the main CIA triad.
Humbert Amiani says
Data classification and Data retention policies are vital inputs/guidelines to key processes like risk assessments. These policies guide organizations in selecting the appropriate security objectives and levels for data collected on their customers and internal used data as well like trade secrets. If not well classified, sensitive data can be inadvertently exposed to unauthorized parties hence putting the privacy f customers at risk, and sensitive organizational information such as payroll data and employee PII.
With a mature data classification procedure or policy in place, organizations are able to secure certain types of data by employing appropriate security measures and access controls to ensure both privacy and confidentiality of the data. A data retention policy on the other hand ensures that any collected datum is kept/or stored up until the pre-set maximum time before it is disposed. This protects the organization especially when future events can lead to a need to review old data, like in the event of a lawsuit by a customer or former employee.
Vanessa Marin says
Right on the money, Humbert!
Liability is the key here. In the event of an audit or legal processes having information that is old or past its use can have serious consequences. Just because data is old and has lost its value, it doesn’t mean that it’s confidentiality type has changed. Retention of data can also get extremely expensive , so a reduction in storage and costs are also a benefit.
Vanessa Marin says
Data Classification and Data Retention policies are critical in protection information assets. They work together to make the business aware of the type of data that may need stricter protection controls and how long certain data needs to be kept. This will reduce the liability risk that mismanagement of such information will cause.
A Data Classification policy helps data owners know how the business defines the different data types that might be found in the company. These can range anywhere from Top Secret, Secret, Confidential, Private, Public, and many more. DEpending on the definitions assigned, a data owner can better apply the standard to their own data in their systems. Then they work with IT to identify the proper controls that need to be in place depending on the data classification/type.
A Data Retention policy acknowledges that not all data has equal or consistent value over time. This means that as data is collected and stored, it’s intrinsic value diminishes. Some data must be kept for X number of years due to policy, regulation, best practice standards, etc. However, over time, regulation retention times expire, data no longer provides the same insight as new data, or the use becomes obsolete. In fact, retaining data beyond it’s “valuable time frame” becomes a liability. The longer you hold onto data, the more opportunity it has of being breached, stolen, or lost. DAta Retention policies define how long certain types of data have to be kept and may also list the guidelines for disposing of said data (physical or digital).
The combination of these two policies gives confidence to customers and stakeholders that data is being used for its intended purpose and then disposed of when that purpose has been met.
Krish Damany says
Hi Vanessa,
I honestly don’t think I could have said it any better! These policies are the backbone to making sure that an organization’s use of data is properly classified and utilized, all while mitigating risk of confidentiality, integrity, and availability of the data. With the potential of terabytes of data being poured into some organizations, data owners have a responsibility to make sure that only the necessary data is staying and how long the data is needed, as well as sorting the data into specific tiers based on importance.
Jerry Butler says
Hi Vanessa,
In addition to your brilliant view, applied security controls may depend on how valuable information is to the company. For instance, NIST53 provides the baseline for security controls based on the level criticality ie low, medium and high.
Eugene Angelo Tartaglione says
From first hand experience Being a decision influencer on Data Retention policies, I can see the importance of data retention policies and Data Classification. For example, we handle a lot of private data from Students / applicants. We determine how the data is collected (online forms, portal submissions, etc), who the data effects, and what kind of information was collected from these individuals. From here we determine who can use the data as well as determine the data retention policy determined by how we classified the data. I will not disclose how long we held on to the data and who was able to access it, but we set limitations on which group had access determined by the purpose of the data collected. We have automatic procedures set in place to delete the data after the allotted amount of time. If there were to be a leak on some of this data, it could lead to People’s SSN, email addresses, name, and address to be released. With this in mind, it is very important to protect this data.
Krish Damany says
Hi Eugene,
So interesting of you to provide some insight on your own experiences dealing with data policies! I’m sure it must have been quite daunting to work with large buckets of data from all the applicants and students of this organization, but using data policies, it probably helped narrow down who could access these files to mitigate risk of the data being leaked, as well as proper disposal of the data to make sure the infrastructure could accept new data types.
Mei X Wang says
Hi Eugene, I work in security compliance and I also deal with a fair share of Information Security policies. Are there major differences between an educational organization’s data classification/retention policies with ones drafted for commercial businesses?
Jerry Butler says
Data Classification and Data Retention policy can help an organization protect the privacy of the customers and maintain the security of the organization’s information by knowing what to keep and how long to keep it. When determining retention policy, knowing what classification the data has is critical in determining how long it will be retained. Data intake policies should look at the “business needs and reasons. This will reduce how much unneeded data is being digested. Security around data retention is governed by philosophy and laws.
Rudraduttsinh says
Hi Jerry,
I agree that the data should be retained based on business needs and reasons, just to put it in layman’s terms. This also brings the topic of Data classification. Apart from the laws and philosophy. The organizations also need to consider other aspects such as productivity, compliance, and security.
Amelia Safirstein says
Data classification allows an organization to supply the proper security and access controls to data. Locking down non-vulnerable, publicly known information with the strictest rules would be inconvenient and a waste of money. At the same time, Leaving highly critical, private information out for the world to see would be detrimental to an organization.
Data retention ensures that a company holds onto data for a length of time that keeps them in legal and regulatory compliance, allows them to investigate if needed while eliminating the unnecessary risk associated with storing sensitive data for a longer time than is needed.