Data classification as part of the information lifecycle management (ILM) process can be defined as a tool for the categorization of data to help an organization effectively answer the following questions:
- What data types are available?
- Where is certain data located?
- What access levels are implemented?
- What protection level is implemented, and does it adhere to compliance regulations?
- A data classification process is recommended for implementing data controls such as DLP and encryption.
Data Classification Categories
There are different reasons for implementing data classification and therefore many different parameters and categories for the classified data. Some of the commonly used classification categories follow:
- Data type (format, structure)
- Jurisdiction (of origin, domiciled) and other legal constraints
- Contractual or business constraints
- Trust levels and source of origin
- Value, sensitivity, and criticality (to the organization or a third party)
- Obligation for retention and preservation
The classification categories should match the data controls to be used. For example, when using encryption, data can be classified as “to encrypt” or “not to encrypt.” For
DLP, other categories such as “internal use” and “limited sharing” are required to correctly classify the data. The relationship between data classification and data labeling is important.
Data labeling is usually referred to as tagging the data with additional information (department, location, and creator).
One of the labeling options can be classification according to certain criteria: top secret, secret, classified.
It is usually considered part of data labeling. It can be manual (a task usually assigned to the user creating the data) or automatically based on policy rules (according to location, creator, content, and so on).
Challenges with Cloud Data
Cloud data has some challenges:
Data creation: The readers needs to ensure that proper security controls are in place so that whoever creates or modifies data must classify or update the data as part of the creation or modification process.
Classification controls: Controls can be administrative (as guidelines for users who are creating the data), preventive, or compensating.
Metadata: Classifications can sometimes be made based on the metadata that is attached to the file, such as owner or location. This metadata should be accessible to the classification process to make the proper decisions.
Classification data transformation: Controls should be placed to make sure the relevant property or metadata can survive data object format changes and cloud imports and exports.
Reclassification consideration: Cloud applications must support a reclassification process based on the data lifecycle. Sometimes the new classification of a data object may mean enabling new controls such as encryption or retention and disposal (for example, customer records moving from the marketing department to the loan department).