FAQ on Data Classification!
What is Data Classification / Information Classification?
The act of applying labels like “Confidential” or “Secret” to files/folders/emails.
Why do I need it?
The label acts as a deterrent and informs users of the sensitivity of content within the document and how it should be handled.
What part of this is complicated?
No part is complicated. The act of applying the label itself is very simple, the most important aspect is deciding what label to apply to a particular document/email.
How do I decide which label to apply?
This depends on the sensitivity of the information contained in the document/email and its scope of use. For e.g. a document containing “sensitive financial information” that can only be shared with the executive management of the organisation could be labelled as “Secret: Top Management”. The label itself is decided by the organisation.
What is Scope of Use?
The scope of use describes where a classified document can be used or with whom it can be shared. In the above example, “Top Management” denotes that the document labelled Secret can be shared only with “Top Management”. Every organisation should come up with their own labelling schema and scope of use that is most suitable for their business.
Who decides what label is to be applied?
Ideally this would be the data owner, but due to the large amount of content that is being created within an organisation, the actual label is now being applied by pretty much everyone in the organisation. What is important is that people are following the same guidelines in applying the labels.
How do I ensure everyone applies the same label for specific information across my organisation?
As part of your data classification program, you should build an inventory of all possible datasets that are generated out of your business processes. Each of these datasets should have a data owner. The data owner would assess the impact of these datasets on the organisation.
What do you mean by an impact assessment?
The impact assessment should tell you what would happen to the organisation if this data were to fall into the wrong hands or modified without authorization or was just not available when needed. Would your organisation suffer from financial, operational or, reputational losses among others? This varies from organisation to organisation.
How I ensure that these labels are followed by everyone?
The best way to do this is to ensure that everyone is forced to choose a classification while saving a file or sending an email. This will ensure that all digital information is now classified and by that virtue all hard copies are labelled as well in the long term. Organisation wide data maps, department level data maps and section level data maps help build awareness about the datasets at each level and applicable classification label. This helps guide the user in selecting the appropriate labels.
