‘Business’ is a verb that practically means the movement of data. If you aren’t sharing data – keeping the books, sharing ideas and stats about sales, getting the correct information regarding the customer or data to the customer – then you aren’t doing much business. But organizations need to protect their data along the way.

Infosec has so many ways of protecting those sources of data, so much so that users of the data often complain. They can’t get their work done if all data is always locked up tightly, they assert.

The answer to these complaints is data classification. This principle shows up in most security awareness programs, and while it seems on paper to be a way to bridge the gap between sharing data/ideas and protecting that information, there are a couple of components that, if not discussed and understood by users, could prevent organizations from succeeding in protecting what needs to be protected.

Let’s examine these issues below.

Classification schemas

Any schema for data classification buckets the data, though the number of buckets and names are specific to the company’s needs. In a whitepaper, the SANS Institute identifies some of the most common data classifications used by organizations. These include the following:

  • Confidentiality
  • Availability
  • Integrity
  • Proprietary
  • Highly Sensitive
  • Function Sensitive
  • Business Critical
  • Business Sensitive
  • Business Restricted
  • Owner Restricted
  • Owner Discretion
  • Company Use
  • Internal Use
  • Public Use
  • Not Essential

This list is a gradient of data sensitivity. Your company may use several of these terms, but one hopes not all. (There is such a thing as being too granular to be functional.) These categories are meant to help understand what the impact would be if the data was inappropriately shared, lost or destroyed in an untimely fashion.

Why is the word ‘inappropriate’ in there? Information workers have (Read more...)