In Domain #2, we discuss Asset Security, and following on Domain #1, recall that Data (or Information) is an organization’s key asset, and that the asset may exist in various forms – not just paper, but those digital assets. Also recall that there are several factors that should be included when determining the true cost or value of the asset to the organization.
How would Data Classification and Data Retention policy help an organization protect the privacy of the customers, as well as maintain the security of the organization’s information?
Kelly Sharadin says
Data is an asset that is guaranteed to grow with the business exponentially, and as a result, organizations need to be able to scale security practices effectively. However, not all data types carry the same significance levels to the organization. Therefore, data classification is crucial to ensure sensitive data types are assigned the appropriate security controls (ex., access controls like least privilege and audit logging). An organization may classify all financial data types as sensitive, restrict finance department employees’ access, and explicitly deny access from other departments based upon the data classification. Data classification helps organizations have visibility into what data they collect. Once data is classified, companies need to identify how long they must maintain that data. A data retention policy allows organizations to legally and officially state how long data is to be retained by the company. For example, an organization may maintain customer records for up to 7 years, and after those seven years, records are destroyed. A data retention policy helps safeguard the organization from compliance and legal requirements.
Anthony Wong says
Kelly,
Great explanation on the importance of needing a data classification policy. As an example, it does not make much sense to implement complex and expensive controls to keep secure data labeled ‘Public’. This can be cleared up with the use of the policy and help security determine what controls need to be in place for more restricted data. It is crucial for enterprise’s to immediately classify the data early in the data lifecycle, during the create and store phases.
Mohammed Syed says
Yes, day by day data will be growing in the digitalization future. It becomes more crucial to sort and manage data as per sensitivity level, so more data prevention policies and laws should be used for data protection.
Oluwaseun Soyomokun says
Great points cited and in addition to the classification of records and the parties responsible for retaining and destroying the data should be outlined in the Data Retention Policy. The concern about the classifications should not be too restrictive either, because many types of data may need to be classified. As with every other issue in security, organization needs the classification to balance the growth of the business and security needs.
Mitchell Dulaney says
Hi Kelly – you are spot-on that without data classification, appropriate application of security controls to the organization’s data is not possible. While an organization could certainly apply controls to unclassified data, all data is not equally sensitive or critical, and there is no way to verify that the applied controls are appropriate for the specific data it is intended to protect. Classification helps protect the most sensitive data effectively while also reducing overhead costs associated with overprotecting less sensitive data.
Mohammed Syed says
As per the Asset security, the data classification identifies the value of the data to the organization and identifies how data owners can determine the proper type. The Classification authority is the one who applies the original classification of the sensitive data. Sort and categorizations help to set baselines for an information system. The primary purpose of help indicates the level of Confidentiality, integrity, and availability. Ensure data is protected most cost-effectively. Each classification should have different handling requirements and procedures.
It also defines long-time strategic goals for data management across all phases of the project or enterprise. We can use our organization’s high-level principles that establish a guiding framework for data management. Data Analysts ensure the data is stored in a way that makes more sense to the organization. Accountable for architecting a new system that will hold company information or advice in purchasing a product. Work with data owners to help ensure that structures setup support business objectives. These are the data management process stages, Capture, collection, digitization, storage analysis, and presentation Use.
Data retention involves all stakeholders in aligning the business and legal requirements for the data retention policies. Establish common objectives for supporting archiving and data retention best practices. Data Retention policy should outline the classification of records and parties responsible for retaining and destroying procedures used for demolition. What data is stored in the company, and how long is it stored where it is stored. Data comes in so many different formats. Like Storing the data in original format may render it inaccessible later. It’s practical to tag data sets to ensure searchability and accessibility.
Anthony Wong says
Mohammed,
I really enjoyed how you laid out the different roles and responsibilities when it comes to the whole data lifecycle. The data owner will always be held accountable for the data and how it is stored, used, shared, etc. However, as you mentioned, there are other important roles that are responsible for ensuring the data is protected to the data owner’s requirements.
Kelly Sharadin says
Hi Mohammed,
I would echo Anthony’s comments, nicely written post outlining how identifying the various elements of the data life cycle work together beginning with data type, where the data is stored and who are the data custodians. I work in incident response so I place great importance on knowing where data is located and who can I call if I need to access said data.
Kelly
Shubham Patil says
Mohammed,
The data retention policies should follow the laws of the jurisdiction within which the organization’s data resides. It must similarly comply with any regulatory requirements. The policy must address the organization’s operational requirements.
Kyuande Johnson says
Great Points Muhammed!
Having an idea of the value of organizational data is essential.
Giving data a monetary value of the data will determine how much to spend on security mechanisms. The cost of securing data should never exceed the value of the data it’self.
Kyuande Johnson says
Great Points Mohammed
Properly implementing and following the data retention policy saves money. Organizations will have an accurate depiction of what data is needed. This will save tons of storage space. Data storage is not cheap so having control of what is not needed can save money in th elong run. It’s also imparative to ensure that data is kept for the appropriate amount of time prevents lawsuits.
Anthony Wong says
A data classification policy is necessary for any enterprise to adequately protect their assets. A data classification policy can help security experts, with the help of the data owners, determine how valuable the asset is which drives what controls need to be implement to safely protect it. Organization’s that collect highly confidential data such as social security numbers (SSN), credit card payment information, and personal health information (PHI) can mark these data elements as highly confidential or label similar to ensure layered controls are in place which will help protect the privacy of the customer as well. A data retention policy can be used to meet regulatory and compliance requirements and identify when the data needs to be destroyed, where is it stored, when does it get archived, and much more.
Kelly Sharadin says
Hi Anthony,
You’re spot on, data classification helps security professionals know what controls are required to safeguard data. In your example, although PHI is confidential data we wouldn’t want to deanonymize that information as doing so that could have negative outcomes regarding patient health or filing insurance claims. However, as you mentioned we do want to adequately apply administrative controls to files as confidential.
Kelly
Mohammed Syed says
Agree, and also better ways and policies can be implemented to manage data securely after classifying data. The sensitivity needs to implement various security mechanisms to store, handle, and travel data in the network. It should also be destroyed securely instead of preserving it, which may be more harmful in case of an incident.
Oluwaseun Soyomokun says
Mohammed, for some data under non-sensitive classifications, the method of disposal or destroying won’t matter. But some data is so sensitive that data owners will want to dispose of printed information through cross-shredding or degaussing it from the hard drive where its saved or another secure method. Or they may require employees to use a utility to “scrub” their PCs after they erase files containing sensitive data.
Shubham Patil says
Anthony,
Great points. An organization must make sure that whoever is backing up the classified data and who ever has access to backed-up data has the necessary level of Clearnce level. A large security risk can be introduced if low-level technicians with no security clearance have access to this information during their tasks.
Antonio Cozza says
Nice post Anthony,
It is crucial for an organization to understand exactly what data sets have more sensitive classifications, and which information systems handle and process that data. In addition to supporting compliance requirements, it also benefits the company by steering and minimizing its spending in countermeasures to protect the more sensitive data.
Vraj Patel says
Hello Anthony,
That was a great post. I agree that security specialists, in collaboration with data owners, establish the asset’s value and create access controls to secure those devices. Because the data owner knows how essential the system is to the organization, and security specialists know what kind of control is needed to secure systems classified at different levels (High, Medium, or low).
Vraj Patel says
The data categorization policy assists in the development of a framework for categorizing data based on the organization’s criticality and sensitivity. Any data, whether recorded electronically or on paper, falls under the data categorization. It also assists in identifying the responsibilities responsible for maintaining that data inside an organization, such as data owner, data custodian, and data users. Companies could set effective access control to secure data by identifying the data categorization. The regulatory requirements for data storage are included in the data retention policy. It assists data owners in determining how long data must be maintained and when data can be removed. Along with a company-defined duration for storing data, such as backups, should be kept.
Kelly Sharadin says
Hi Vraj,
Important call out that data classification includes both electronic and paper records. We place such an emphasis on electronic records like email and databases but we cannot overlook how paper records are properly stored and destroyed within the data life cycle. Arguably, paper records present unique auditing challenges regarding how to monitor who viewed, edited or destroyed the records. To that end, layering additional administrative and technicals controls may assist.
Kelly
Shubham Patil says
Hi Vraj,
Data owners decide upon classification of the data, this person is responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria.
Antonio Cozza says
Hi Vraj,
it’s an important distinction you make in addressing that paper records, too, are subject to data classification. To that end, it will surely be important to implement physical controls to limit physical access to unauthorized personnel from reading sensitive private information.
Kyuande Johnson says
Great Points Vraj,
Data Categorization is a fundamental aspect of protecting an organzations data. It provides a clear picture of all data within an organization’s control and an understanding of where data is stored, how to easily access it, and the best way to protect it from potential security risks
Mitchell Dulaney says
Hi Vraj. You bring up an important point, which is that beyond classifying an organization’s data, the data classification policy also normally defines the roles involved in the data life cycle for the organization. Without clear definitions of those roles and responsibilities, some data owners in the company could get bogged down in the minutiae of information security that they frankly shouldn’t be responsible for. On the other hand, information security professionals who should be assigned the role of data custodian would potentially be unaware of critical data in their infrastructure, or simply might be responsible for protecting that data even though that is the area in which they are the experts.
Oluwaseun Soyomokun says
An organization’s data security and use is critical. Simply described, an asset is something useful or valuable.
When it comes to products, services, and technology, value is frequently measured in terms of money: how much would someone pay for it if it were compromised, or how much would it be worth to a competitor if it were leaked, minus how much the data costs the company based on the confidentiality, integrity and availability of the information.
The sole aim is to protect classified data while it is in transit, at rest, and during use. It also expresses itself more depending on the classification.
Data classification help in establishing common levels of sensitivity for commercial business purposes, ranging from the highest disclosure to the lowest form of availability, and the security established for access control on sensitive information may only require one set of credentials.
Mohammed Syed says
Also, data Security indicates protecting organizations’ data against Unauthorized access or use that can result in analysis to remove corruption of the data.
Oluwaseun Soyomokun says
I agree with you, remember, data classification is supposed to ensure that business assets are properly handled and protected from unauthorized usage or data breach.
Shubham Patil says
Hi Oluwaseun,
The sensitivity of information is commensurate with the losses of the organization if that information was revealed to unauthorized individuals. The criticality is an indicator of how the loss of the information would impact the fundamental business processes of the organization.
Vraj Patel says
Hello Oluwaseun,
Along with money, the company assesses the data’s importance with how much it will affect the company. Because there would be some business-critical data, losing it may result in the company being shut down. Also, I agree that businesses categorize data based on its availability, because business-critical data is required to be accessible whenever it is required.
Shubham Patil says
Data classification helps an organization to assign values to different assets and data which enables a company to gauge the amount of funds and resources that should go toward protecting each class because not all assets and data have the same value to a company. Information can be classified by sensitivity, criticality, or both. Either way, the classification aims to quantify how much loss an organization would likely suffer if the information was lost. Data classification helps ensures that data is protected in the most cost-effective way. The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability protection that is required for each type of data set. Retention policies help to manage many risks including lost or stolen information, excessive backlog of paper files, loss of time and space while internally managing records and lack of organization system for records, making them hard to find.
Antonio Cozza says
Good points Shubham,
Retention policies are great for audit trails as well as applicable regulatory compliance. Data classification definitely ensures that funds aren’t wasted trying to secure data of a lower sensitivity class and helps an organization realize where sensitive data exists so that it can properly protect it.
Mitchell Dulaney says
Hi Shubham, I agree that the goal of data classification, as with most company policies, is to accomplish a task in the most cost-effective way possible when taking into account any associated risks. While data classification is something performed with security in mind, its ultimate objective is to limit the application of unnecessary controls to less critical data, while ensuring that the proper controls are effectively implemented to protect the most important data in the organization.
Tal Eidenzon says
Hi Mitchell,
Another way to look at the issue is by imagining a gold bar and lettuce. Just because it makes business sense to use the gold bar with the lettuce, doesn’t mean that the lettuce should be stored in the vault.
Thanks,
Tal
Antonio Cozza says
How would Data Classification and Data Retention policy help an organization protect the privacy of the customers, as well as maintain the security of the organization’s information?
Data classification is critical in protecting privacy of customers and maintaining security of the information for a number of reasons. First, classifying data helps an organization allocate spending on selecting, building, and maintaining countermeasures properly, which may have varying degrees based on what type of privacy information the data is or contains. Varying privacy laws around the world require different business sectors to have certain minimum security controls based on data classification and type. To also remain compliant with some of these laws, data must be retained for certain time periods. Adhering to these compliance requirements for sensitive data protects customers’ data and promotes security within an organization.
Vraj Patel says
Hello Antonio,
That was a great post. I completely agree that categorizing data helps an organization in selecting, building, and maintaining appropriate countermeasures. Furthermore, it would be beneficial for businesses to determine where their data is stored so that it can be accessed whenever needed.
Mitchell Dulaney says
Hi Antonio, you’re correct that the data classification and data retention policies cannot be written and approved without taking into account the regulatory and legal environments that the organization operates within. While senior management and information security may believe that certain levels of classification and retention periods are cost-effective and allow the company to perform its business functions, they need to be aware of the regulations impacting their data or else they are at risk of lawsuits or fines.
Mitchell Dulaney says
To protect the privacy of its customers, a company must understand internally what private data they own, and they must also understand where that owned private data exists, both on their network or on external storage media. The Data Classification and Data Retention policies enable a company to do both of the above. When properly implemented, data classification includes identifying all data the company owns and classifying it based on sensitivity, and a major factor in the assigned sensitivity level is whether the data includes private customer information. Once the private customer data has been classified, the Data Retention policy dictates where, how, and for how long that data is stored. These two policies work in tandem to ensure that private data in possession of the company is protected properly.
The above logic applies in a similar fashion to the company’s sensitive corporate information. Any data that affords the organization a competitive advantage or contains sensitive information (such as PII, PHI, or any data with safety implications) will go through the same rigorous data classification and data retention processes. As such, the security of that data is consistently reviewed and properly maintained.
Kyuande Johnson says
Organizations must manage their data throughout their entire life cycle. From the time that the data is created to the time that it is properly deleted. Data must be managed, to manage data you must classify the data, categorize the data and assign an owner to the data. Data classification is the process of categorizing data into relevant subgroups so that it is easier to find, retrieve, and use Classifying data makes it possible to establish exactly what is there, where it is stored, and how valuable it is. It also helps the business to identify what can be archived or deleted. Having an idea of the value of the data is essential in determining what protections mechanisms to implement. How long the storage is kept and how much storage space is needed to store that data. Organizations should properly maintain a data retention policy. The data retention policy s a set of guidelines used by organizations that detail protocols for how data should be archived and how long data should be kept. Properly implementing and following the data retention policy saves money. Organizations will have an accurate depiction of what data is needed thus saving storage space when deleting useless data. Ensuring that data is kept for the appropriate amount of time prevents lawsuits. In an event of a lawsuit the organization can pull records from the past. It can also protect the firm from non-compliance fines
Tal Eidenzon says
How would Data Classification and Data Retention policy help an organization protect the privacy of the customers, as well as maintain the security of the organization’s information?
In order for an organization to establish a mature DLP state, it is vital to have established Data Classification and Data Retention Policy. To have strong, all-encompassing policies and properly classified data, a Data Governance committee is essential. A Data Governance Committee is made up of security experts and of data stewards and owners. In these meetings, security experts guide the leaders of the business units to properly categorize data and establish policies based on the NIST framework that most closely fits the industry.
Thanks,
Tal