- AAA Overview: Access Control, Authentication, and Accounting
- Security Administration—The Importance of a Security Policy
- Keeping Up with and Enforcing Security Policies
- Risk Assessment
- Why Data Classification Is Important
- The Importance of Change Management
- Performing Vulnerability Assessments
- Chapter Summary
- Apply Your Knowledge
Why Data Classification Is Important
Classifying data according to value assists in the risk assessment process. Classification criteria may include
Sensitivity. Although it may not do irreparable harm to an organization if everyone knew the payroll details, most organizations restrict that information on a "need-to-know" basis. Thus, it's a good idea to consider the implications of making data or some related resource public knowledge when assessing its sensitivity. The more sensitive a resource, the tighter its access controls should be.
Proprietariness. Some data related to practices, procedures, processes, or trade secrets that could blunt an organization's competitive edge if disclosed to outsiders can rightfully be viewed as valuable and private property. Here, the more private and/or valuable this property, the tighter its access controls should be.
Confidentiality. Some information is meant to be kept secret, restricted to only a small circle of authorized individuals. This includes financial plans or reports, upcoming sales or advertising campaigns, or other information that could adversely affect an organization if made public prematurely (or at all). Again, the more confidential and/or valuable such information, the tighter its access controls must be.
Privacy. Certain information may be obtained during interviews, research, investigation, or through privileged relationships that should never be made public. This could relate to doctor-patient or attorney-client privilege, or to reasonable or legal expectations of privacy. This helps explain why privacy policies are becoming so prevalent on Web sites and in customer-vendor interactions of all kinds. The more private such information, the tighter its access controls must be.
Potential liability. Beyond privacy concerns, legal agreements, such as nondisclosure, employee, copyrights, or other contracts, may require an individual or organization to preserve information provided by or through a third party. Given that unauthorized disclosure can lead to legal and financial penalties in many cases, information held in trust for or on behalf of others must also be subject to tight access controls.
Intelligence value. Seemingly innocuous documents such as telephone lists, discarded paperwork, purchase orders, and the like can often reveal valuable information to competitors or malefactors. When tempted to assume that a document or resource has no value and therefore needs no access controls, ask, "What's the worst that could happen if our competitors got this?" or "How could this information be used to subvert or bypass security measures?" Very few documents require no access controls at all, unless specifically designed for public use.
As you go through data classification for your organization, you'll quickly notice that resources or items that rate high on one scale (for example, privacy) might also rank high on another (for example, confidentiality, where personnel records are concerned). When classifying data, the safest course is to start out too strict, and then relax that classification when users with a legitimate need to know complain about lack of access. Go the other way (too relaxed), and you won't get too many complaints, but you may find yourself besieged with trouble!