Determining what constitutes “sensitive data” is usually not a difficult thing for most people. For me personally, it would be my social security #, my account information – banking, credit card information. And, sadly as the years go by, my birthdate is getting to be more sensitive…
For organizations to identify their sensitive data again is pretty straightforward. However, categorizing the levels of sensitivity is something that can be worked through via a data classification effort. Data classification identifies the level of sensitivity of data and also identifies the owner of that data.
The government has been classifying data for some time. Secret, top secret, etc. And, they’ve developed clearance levels to identify who has access to various levels of sensitive data.
Corporations have done so as well – public information, confidential information, etc. The naming conventions vary, but determining the level of sensitivity, who has access to it, and who owns it are primary attributes to data classification. Also helps when you are considering data classification, to look at the business risk to the entity or company, should the data be leaked.
I found a well written article about data classification:
As the authors were discussing why implementing data classification can be difficult, they mention “Appeal to the regulatory requirements, shamelessly”.
It makes sense to leverage. You’ve got to abide by the regulatory requirements that affect your organization – PCI, HIPAA, NIST, or others. Getting the backing of management is easier when you’re trying to implement something that’s already required by a regulatory requirement.
One of my colleagues shared that he knew of a company that had a classification above and beyond top secret. The level of sensitivity required that information could not be written down anywhere. It could only be whispered! (Really? Like, in the bathroom? With the toilet flushing?)
Sounds very Mission Impossible. “…This tape will self-destruct in 5 seconds. Good luck, Dan…”
Sr. Account Executive