Data Classification Policy: Examples and Templates

Data classification is the process of data identification and categorization to assess the proper sensitivity level of each piece of information in an organization’s custody. Defining what types of information belong to which security level, is the foundation of creating data classification policies.

Data classification policy

A data classification policy is a document that lists the descriptions of the various data classification levels, the responsibilities for creating the defined rules about each of the data types, and the general data classification framework. The main purpose of a data classification policy is to ensure the proper handling of every information type, as well as define who should have access to what data types, and more based on it’s sensitivity.

It’s up to each individual organization to define their own classification levels, but a good data classification policy template uses these four levels: public, sensitive, confidential and personal. Keeping categories to a minimum. while also accurately categorizing the data, allows companies to evade confusion that might arise when there’s too many categories with little differences.

The are several benefits of having a data classification policy in place:

• Allows for easier security-related resource allocation by knowing what types of and how much data you need to protect;
• Provides general information about what kinds of data are located where, the security levels applied to specific data types, and whether the current data protection practices are acceptable or not from either the company or a compliance standpoint;
• Helps with understanding security and compliance requirements by specifying what kinds of data need what level of protection;
• The additional knowledge about your data will help with overall data protection efforts. Since your data is categorized and you know how well it is protected, you can more easily identify weak spots in your defenses, as well as address existing data security-related problems.

Example data classification policy

A good data classification example is a Public Safety / Police agency and the criminal records held within it. The information inside of this system can be split in two different groups: criminal apprehension data and criminal investigation data.

• Criminal apprehension records are considered public information in a lot of countries, so the importance of this data being freely shared is not a big issue, since it’s already in the public domain.
• Criminal investigation information on the other hand are more sensitive and deemed confidential with a greatly increased exposure impact compared to the apprehension records. Therefore the classification and protection measures for this type of data must have greeter restrictions.

This is how the majority of data classification systems work. There are different data types and sensitivity levels.  Each data type requires different levels of security measures applied to them based on the sensitivity level.

Creating your own data classification policy: best practices

Here are some general best practices for creating your own data classification policy:

• Establish a specific role in your company making someone’s prime duty managing your organization’s records and other related tasks.
• Conduct a thorough assessment, both legal and regulatory – to understand which regulations and laws your company must comply with. This might also change some of your existing data security policies, so it’s important to do this as early as possible to avoid various penalties for non-compliance.
• Streamline the data classification process with third-party software, there’s a lot of different tools that can automate this process and provide additional functionality at the same time.
• Define the software’s target area, needs and policies to make the automatization more precise and effective.

Data classification policy example

Plenty of data classification templates and policies are available online, some of them more specific than the others. Even though there is a lot of specifics that may or may not apply to you, it’s still possible to use them as a foundation for a data classification policy. The following outlines the main categories that should be included in your data classification policy.

PURPOSE

One of the main cornerstones of any data classification policy is a purpose. You should describe the reason for this policy to exist in the first place, and why it is important to have one. The main reason for the policy to exist, is to create a data classification framework that can be used to classify a company’s data based on a variety of important factors (thus making the protection of the more sensitive data that much easier).

SCOPE

Another important topic that your data classification policy must cover, is the extent of a policy’s capabilities, or the scope of the policy. There’s not a lot of cases when a data classification policy doesn’t apply to some specific employees of the organization or specific data types, so you’ll most likely see the following note in any data classification policy:

“This policy applies to any data form that the organization interacts with, including digital information and paper documents. At the same time, it applies to each of the organization’s employees and to various third-party agents that have the authorization to access said data.”

Roles and Responsibilities

After mentioning the stakeholders that are the subject of your data classification policy, it’s also fair to list various roles and responsibilities that can be associated with your data classification efforts. A typical data classification policy often includes three main categories of personnel:

• Data owners are often chosen from the senior management staff and are are ultimately responsible for all of the data collection/data processing efforts including: data compilation, data review and categorization, the coordination of data classification, data access, and so on.
• Data protectors are the individuals that maintain and back up the databases and/or servers keeping all of the organization’s data. This category mostly consists of various technicians in the IT department or the information security office (especially in larger companies). Their list of responsibilities is also surprisingly vast, often including operations like access control, compliance, data backup and restore, audits, data access, and so on.
• Data users are the individuals that interact with the company’s data in some way, and they’re bound to use said data for a specific purpose while also obeying all of the policies and compliance rules that company sets up in the first place. They can be both internal employees, and external, such as contractors, partners and customers.

Data classification procedure

An important part of any data classification policy template is creating a step-by-step explanation of the data classification procedure that must be performed for every data type that the organization interacts with in any way. The procedure should include four basic steps:

1. Data review and impact level assigning
2. Classification label assigning based on the results of the previous step
3. Creating a record of all of the classification labels assigned in the previous step
4. Applying various security controls based on the classification label

Each step must be accompanied with a detailed explanation of the process behind it. For example, step 1’s explanation would include the detailed process of choosing the right impact level for each data piece, step 2 should have a correlation table between different impact levels and the corresponding classification levels, and so on.

Guideline for data classification

Going into even more detail, the next part of a data classification policy template is the guideline for data classification. This part defines each data type that the company interacts with in any way, along with a detailed explanation of the impact this information might have (confidentiality/integrity/availability impact), the normalized impact rating based on the three different outlooks, and the overall data classification label as a result of all of the above. A detailed explanation of what this data type does and what it can be used for is also welcome at this step of the policy.

Impact level determination table

To make it easier for data owners to classify your data properly, you should include a detailed impact level determination table that helps with defining the correct impact level for each data piece (confidentiality, integrity and availability impacts, specifically). For example, you can describe what falls under the low potential confidentiality impact, the high availability impact, and so on.

One more way of making the entire data classification process easier is to have a dedicated list of data types that are automatically given the high impact level. The majority of data classification policy templates describe this classification type as “Restricted”. The vast majority of participants for this table are those data types that fall under some sort of compliance rules, including payment data, PIIs (personally identifiable information), authentication information, PHIs (protected health information), and so on.

Revision history table

The last part of your data classification policy is the version history. This part of the policy should be constantly filled with all of the changes that were made since the creation of the policy. It should include: Version, Author, Publish Date and a Description. Here’s an example of a revision history table:

 

Summary

Data classification policy is essential for any company, if for nothing else but to act as a foundation for the set of security measures that should be put in place to protect sensitive data. The job of protecting your data is much more difficult if you don’t know what kinds of data you’re protecting, the regulations that apply to them and where they are located in the first place. Establishing a classification policy information and applying the correct classification labels enhances all downstream actions, not just security.