Data Classification is an absolute core tenet of information security. I would bet money that if you collected a dozen Info Sec pros in a room and asked for 10 major commandments, Data Classification would be one of them. It goes back even further than the Orange Book (for those old-timers out there). Interesting tidbit – the original Ten Commandments were published as “Public Use” documents. In fact, some of the Dead Sea Scrolls had labels of “Top Secret” on the parchment. Ok – I am stretching the truth a bit but you get my drift. Labelling data based on its sensitivity is a very important part of security and has been around for a long time. You have to know what you are protecting.
Companies still struggle with this basic premise of security. Almost every organization has some scheme to label systems and data based on the value to the organization. This is a good thing. It sets the bar for securing information, it establishes basic control requirements and it educates the information user on the importance of protecting the data. However, with the proliferation of data in an organization, it is never cost effective to implement a stringent (dare I say completely accurate) process to label data. Most classification themes and methodologies focus on point in time classification. The reality is that the sensitivity of some data grows or diminishes over time. Let’s take a look at some examples:
Financial reporting data can be extremely sensitive. Companies go into lock down mode near end of quarter as the numbers are crunched for earnings reports. That data is absolutely on a need to know basis until POOF! the numbers are released and they become UBER-Public. So the curve of sensitivity (simplistically visualized) looks something like:
Personal Information has a different curve. A name by itself is mostly harmless. A name plus a phone number is relatively harmless. But a combination of certain personally identifiable information (depending on your jurisdiction) can instantly become extremely sensitive. PII (or EPHI) has a sensitivity curve like this:
If you evaluate other forms of information in your organization – Research and Development plans, Merger and Acquisition negotiations, Pricing negotiations, etc. – most every form of data will have some curve related to its sensitivity. Sticking a label on the data at any one time may or may not be valid over the lifetime of the data. Modifying the controls based on these changes could be impossible. Creating a Control Curve that mimics the Classification Curve is most likely completely cost ineffective or administratively impossible (e.g. moving data between control environments based on changes). Then you have other challenges like what happens when mixed data is sitting together such as last Quarter’s earnings numbers (Public information) sitting with next Quarter’s earning numbers (Very sensitive)? Of course you default to the highest level security but it muddies the picture.
So do we throw Data Classification out the window when it comes to information security? Absolutely not. What we need to incorporate in our strategies is the notion that the data does change over time and that this has to be a living part of the security program. Information Owners should be educated about their “curve” and Security must be aware of the major shifts in sensitivity during the data lifecycle. A fluid, working relationship between Information Owners and Information Custodians needs to be established to ensure controls (and level/cost of effort) is commensurate with the sensitivity of the data. Labels shouldn’t be placed on data using permanent glue. Instead, applying Velcro labels that can be modified is a better approach. The challenge is getting the right conversation going in the first place and this drives right into one of my constant themes – Business Context for Information Security.
Business Context for Information Security is the cornerstone of building a security strategy that meets 21st century demands. Information Security functions need the visibility to adjust efforts, prioritize issues and focus controls based on the value to the business. Data Classification and understanding information assets is a critical part of this visibility. When a security function can work with the business to understand these data sensitivity curves, it is much better positioned to address threats to the data. Fostering this conversation should be a priority as part of the greater security strategy.