Data Security: Data classification
· What approach would you take to initiate research and identify critical categories for your company? Explain.
Organization has multitude of data and information. To identify critical data categories could be done using user defined or system defined approach. The system designed approach would also need user attention as System might wrongly classify the information as not sensitive based on Machine learning trained model. The data pertaining to company can be of different types as shown below:
Identification of critical data and information is a good data governance practice that helps organizations to improve revenue and work quality. Critical data is least of amount of data to get work done successfully. Critical data for one team may not be critical for other team. Hence classification also should handle the access and permission levels on team to team basis. The data classification can of type:
· Content-based: Files are parsed to interpreted based on contents of file.
· Context-based: Classification finds person location, tags, critical application data and other set of variables which flags critical data.
· User-based: Manual interpretation of data as critical.
· What standards or industry frameworks would you consider using as a reference?
Following standards, industry framework will be considered as reference to define data security:
· NIST SP 800–53: US government uses NIST framework to categorize data and manage IT.
· PCI DSS: Payment card customer information is secured by this data classification.
· ISO 27001: Defines set of standards to protect sensitive data.
· GDPR: European Union (EEA) citizen’s data is subjected to GDPR law.
· HIPAA: Security controls for individual health records includes storage and transmission.
o What classification categories will you include?
As per below diagram following classification categories will be included:
The Public data is available free in public domains like website, press releases and news. The data disclosed by company could be categorized as public. While Internal only data pertains to employees and contractors of Company. The Data has low security level and not meant for public information. Confidential is set of data made available to certain employees based on designations, teams and task status. Restricted is high sensitive data pertain to Company. Any leakage of restricted data will cause irreparable damage to company.
o Will you include any regulated or legally sensitive categories? Explain.
Yes, regulated or legally sensitive categories will also be included as critical data. This helps in mitigating the risk of unauthorized disclosure. This also ensure the adherence to law in scenarios like GDPR. European Union Citizens data is subjected to GDPR law, which enforces strict methods in storage and transmission of user personal data including IP address.
· How would you implement the classification model?
The classifier model could be implemented in 4 steps:
1. Define data security policy, classification methods, Data Security Team role and handling of data security breaches.
2. Define and classify data stored a public, internal, confidential or restricted.
3. Label each data as tag.
4. Learn and adapt to new security measures.
5. Periodic data classifications as data could be updated, added or deleted.
Above diagrams depicts general classification of the information data into Public, Internal Only, Confidential and Restricted. The classifier model may use search term to identify sensitive documents. By indexing the crawling through documents, the search rank could help in sensitive information classification. Define documents and tagging them will also help in classification. For example product documentations as techical
o How will you verify compliance and enforcement once deployed?
Following methods could help in verifying compliance and enforcement:
· Hiring Data Security team in high regulated areas like Finance and Healthcare. Define point of contact to report security breaches.
· Periodic training and assessment on security policies of company.
· Periodic data classification.
· Business Continuity Plan in case of security breach. Security drills of restorations from backup.
· Enable security controls, access permissions, approval systems and policy adherence systems.
· Define user and system classification of the data. Data classification recommendation.
· Monitor and maintain the data storage and movement. Reward and reprimand employees and contractors based on security breaches.
Above diagrams depicts the methods to enforce and verify compliance to data security.
o Will you need to establish a policy for the new model?
For the new model policy has to be established, policy framework is necessary. The framework takes care of data classification based on document value and criticality to the organization functioning. This ensures the organization data is protected and secured appropriately. A general policy encompasses all employees of the company as well as contractors. The policy will ensure clarity of roles and responsibilities of company and remedy during security breaches. The Policy ensure clearing labelling and tagging of documents to help in classification. Policy shall explain roles and duties of Security team to audit, classification, security controls, monitor and reports. Data Owners make sure the document and information are classified as public, internal only, confidential or restricted.
References:
[1]. https://www.sciencedirect.com/topics/computer-science/critical-data-element
[2]. https://blog.netwrix.com/2020/09/02/data-classification/
[3]. https://www.netwrix.com/data_classification_policy_template.html?itm_source=blog&itm_ medium=banner&itm_campaign=ddc&itm_content=upper-banner&cID=70170000000kgEZ
*All illustrated diagrams are created using Canva. Https://www.canva.com
Please subscribe and become a Medium member using link: https://medium.com/@nischal-s/subscribe
