Data ownership and classification are usually initiatives companies think about much after implementing many other layers of controls like firewalls, patching, or antivirus. But because of legislation like Health Insurance Portability and Accountability Act (HIPAA) and the US Family Education Rights and Privacy Act (FERPA) companies are required to know what data they possess and assure they are securing it. Most organizations retain large quantities of data and some even call it “big data” but many do not have the certainty of what type of data it is, what are the data elements, where it is stored, when it should be destroyed, and how to protect it. This article will explore those elements and highlight the importance of data ownership and classification.
Questions to ask yourself to assess your data management
- Do I know all the data elements that our company processes?
(i.e. credit cards, health information, social security numbers, names, addresses, email addresses, phone numbers) - Do I know where all data is stored?
(i.e. stored in file servers in a data center, in the cloud, on desktops/laptops, mobile devices) - Do I know who is accountable for the data?
(i.e. who is the person to contact if there is a loss of data, who knows the regulatory or contractual requirements of the data) - Is all data appropriately labeled?
(i.e. documents have the label of “confidential” in the header/footer or in a watermark) - Has the appropriate security been applied to the data?
(i.e. encryption is applied to confidential data and not public data, access controls have been applied to confidential data, monitoring has been applied to confidential data) - Do I know when data can be deleted?
(i.e. the data can be securely shredded after 5 years as opposed to 10 years)
If your answer to any of the above questions was "no" or "I'm not sure" then it is recommended to implement or mature a data ownership and classification program.
What is data classification?
Data classification has a different meaning for different organizations but at the basic level it is knowing the type of data a company has, determining its value, and categorizing it. For example, if your company has a secret sauce or original intellectual property it may be considered “top secret” or “confidential”. The reason to label or classify it as “top secret” or “confidential” is so it can be handled and ultimately protected appropriately. If a company has not done the due diligence to analyze their data and classify it correctly, then how can it confidently secure it. Security costs money and if you treat all data the same then you may be spending too much, or not spending enough protecting the “secret sauce”. In addition to not putting the correct controls on data there is the potential to retain data for longer than needed or destroy data before it should be based on laws or contractual commitments.
What classifications should be used?
Different companies will implement various number of classifications and labels. In general, the classification should be easy to determine and remember. If there are 5 classifications and the general user can not differentiate between confidential and “highly” confidential it could cause significant issues with how the data is protected or handled. Many companies have chosen to adopt these 3 simple labels:
- Confidential: Very limited audience, such as senior level executives or members of the legal or HR departments.
- Internal: Any company employee, but not anyone outside the company unless a non-disclosure agreement has been signed.
- Public: No restrictions on who has access to view the information, available to the public.
How is data classification determined?
Many people have an opinion on how data should be classified or labeled but at the end of the day it is the responsibility of the data owner who is ultimately accountable for the data to make the final decision. The data owner will have the most knowledge of the use of the data and the value to the company. It is advisable for the data owner to get input from various sources like the data custodian or data users but the data owner has complete control over the data.
Who is the data owner?
The data owner is the person in the company who is accountable for the data. This person is usually a member of upper management who has a vested interest in making sure the data is labeled correctly and ultimately secured appropriately. This person must understand the importance to the company and usage of the data to classify it correctly. This person also must be well versed in the applicable law, regulations, or contractual requirements of the data. Once the data owner classifies the data he or she should review the classification periodically (annually) to verify the classification still applies.
What are the responsibilities of the data owner?
The first responsibility of the data owner is to classify the data correctly. Once a classification has been set, it is up to the data owner to determine who has access to the data. Usually, this access is based upon roles as opposed to individuals.
- Who has access to the data? Clarify the roles of people who can access the data.
Example: Employees can see an organization chart with departments, manager names, and titles but not salary information (Classification = internal). But a very limited audience like HR should only have access to salary data, performance data, or social security numbers (Classification = confidential). - How is the data secured? Sensitive data elements within HR documentation has been classified to be confidential and therefore it requires additional security controls to protect it. Some of the additional controls to secure confidential data stored in electronic medium could include being saved in a location on the network with appropriate safeguards to prevent unauthorized access (secure folders protected by passwords).
- How long the data is retained? Many industries require that data be retained for a certain length of time. For example, the finance industry requires a seven-year retention period and some health care industries requires a 100-year retention period. Data owners need to know the regulatory requirements for their data and if there is no clear guidance on retention then it should be based off the companies retention policy or best practices.
- How data should be destroyed? Based on the classification of the data there should be clear guidance on how to dispose or destroy the data. For example:
| Information Medium |
Public |
Internal |
Confidential |
| Hard Copy |
Place in recycling bins or trash receptacles. |
Place in secured shedding bins or manually shred. |
Place in secured shedding bins or manually shred with a cross-cut shredder or pulped. A record must be maintained that indicates the records disposed of and the data of disposal. |
| Electronic records |
Electronic records can be deleted normally. |
Electronic records need to be overwritten to 1’s and 0’s or with a secure delete option. |
Electronic records need to be degaussed off magnetic media after securely deleted or the physical media should be destroyed with a record maintained that indicates the records disposed of and the date of disposal. |
- What data needs to be encrypted? Data owners should decide whether their data needs to be encrypted. To make this determination the data owner should know the applicable laws or regulation requirements set that must be complied with. A good example of a regulation requirement is set by the Payment Card Industry (PCI) Data Security Standard and it requires that the transmission of cardholder data across open, public networks must be encrypted.
Data custodian vs. data user
The data owner may appoint a person to do the daily tasks associated with responsibilities of the data. An administrator is a good example of this. The administrator may have access to the data and will act under the direction or instructions of the data owner on protecting the data but the data owner still maintains full accountability of the data. An additional role of data user could be used for people with general access to the data in support of their daily job duties. A general outline of roles could be:
- Data owner – Accountable and responsible for the security and use of a set of information. Understands the business use, value, and risk of the data. Determines the classification and label.
- Data custodian – Acts on behalf of the data owner and is responsible for the storage, maintenance, and protection of the data.
- Data user – End user who works with the data to perform their job duties.
Summary
Data classification should not be a 10-minute exercise or a set-it-and-forget-it approach. The core of most every business is the data; and to effectively have data ownership and classification, it will take effort. At the end of the day, a proper data ownership and classification program should be a key component of the organization's security program and will most likely decrease overall risk.
Contact ProCircular
If you're looking to improve your data ownership and classification, we can help. We offer cybersecurity consulting services to help your organization assess your data security needs. Contact us for more information about our experts and services.