Data Classification

Based on the three areas of data security requirements the data classification can be determined. The data classification should be based on the highest rating of the three security categories of confidentiality, integrity, and availability.

Some security experts break data into categories with labels that indicate how it is used or how confidential it should be kept. However, the use of the data is independent of the damage that can be done if it is disclosed, modified, or unavailable. Therefore I would recommend both a data classification scheme that allows both categorization by use and categorization by sensitivity, integrity, and availability needs.

Some experts use the following data classification categories:

  1. Public - Information that is publically available
  2. Internal use only - Information that is only used inside the organization. Even though the damage may be specified to only inconvenience the organization when the data is compromised or changed, the problem I have with the use of this classification label is that is more specifies use than damage and may confuse people.
  3. Proprietary - Again, this indicates data internally used but perhaps more sensitive since it may be organizational plans or designs.
  4. Highly Confidential - Disclosure could seriously impede organizational operation.
  5. Secret - This is a top category of sensitivity and the word used is associated with confidentiality requirements rather than potential damage of disclosure, modification, or loss of access.

Although the needs of various organizations are different, the above categorization combines data security needs with the classification of user which is confusing. I recommend the below use categories and data security classification categories

Recommended Data Use Categories

  • Departmental group use only
  • Department use only
  • Organizational use only
  • Organization and business partner use only
  • Available for everyone including the public.

There may be more details to be included since some users may only have read access and others may have both read and write access to the data.

Recommended Data Security Classification Categories

I recommend the following wording for data classification since the below listed terms are more commonly thought of when discussing possible damage due to misuse or lack of availability.

  1. Critical (label as top secret) - high damage (other descriptions may include crucial, serious, severe, essential) - The event (unauthorized data compromise, loss of data integrity, loss of data access) would have a critical negative effect on the organization either impacting organizational activities critically or costing a critical amount of money or resources. The organization must decide the limits of damage here such as $200000 or more in damage. Different damage amounts will affect different organizations differently. Events of a critical nature may cause loss of life or threaten to destroy the organization. Examples of damage in this category would include the something that could cause loss of life, violation of law, or compromise of many social security numbers, credit card numbers, or driver's license numbers.
  2. Important (label as secret) - medium damage - The event (unauthorized data compromise, loss of data integrity, loss of data access) would have a substantial negative effect on the organization either impacting organizational activities substantially or costing a substantial amount of money or resources. The organization must decide the limits of damage here such as $10000 to $200000 in damage. Examples of damage in this category would include the compromise of a single individual's social security number, credit card number, or driver's license number.
  3. Standard (label as confidential) - low damage - The event (unauthorized data compromise, loss of data integrity, loss of data access) would have a limited negative effect on the organization either impacting organizational activities minimally as an inconvenience or costing a relatively small amount of money or resources. The organization must decide the limits of damage here such as $100 to $10000 in damage.
  4. Common - no damage