Data Classification

Data classification is defined as the process of analysing and organizing data (both structured and unstructured) by categorizing data into defined and classified categories based on its contents, confidentiality, type of documented information, and other relevant characteristics. As a way to maintain the confidentiality, integrity, ease of access, and reliability of the data, Compleye Online provides the functionality to manage and keep records of data classification in a centralized and structured manner.

Well-established and aligned with the business functions, data classification overview will help your organization recognize, appreciate and understand what information is held, where it is stored and how it can be accessed. Data classification is also a fundamental step when developing policies, processes, and procedures your organization implements to preserve the confidentially, availability, and integrity of information. Subsequently, identifying the legal and regulatory requirements, as part of the data classification process, will help your organization to meet regulatory requirements, and avoid potential penalties or regulatory scrutiny. Finally, yet importantly,  appropriately classified data facilitates data mapping and implementation of the required level of security measures and controls.

Identifying and classifying the information you hold is also required by ISO 27001 standards and norms and referenced in the controls within Annex A, section A 8.2 which cover classification, labelling and handling of the information within the scope of the established ISMS.

  1. As a first step, ensure that your organization has a clear understanding of the information collected, stored and processed, as well as of the regulatory and contractual data protection and confidentiality requirements. Once the scope of data and regulatory requirements are defined you can define your data classification objectives and build a comprehensive and functioning data classification overview.

         Consider the following questions when classifying your information:

  • What data of your stakeholders your organization collect?
  • What data do you create as part of daily operations?
  • What data if lost, would have a particular impact on your organization?
  • What data would be classed as confidential?
  • What data classify as personal data?
  • Who is responsible for the integrity and accuracy of the data?
  • Who can and should access the data.

  1. In the context of information security, data classification is based on its level of confidentiality and the impact to the organization should that data be disclosed, altered or destroyed without authorization. The classification of data included in Compleye Online helps determine what baseline security controls are appropriate for safeguarding that data. The data classification falls into one of three classifications:
  • Restricted Data should be classified as Restricted when the unauthorized disclosure, change or destruction of that data could cause a significant level of risk to the Client or its affiliates. The highest level of security measures should be applied to Restricted data.
  • Private Data should be classified as Private when the unauthorized disclosure, change or destruction of that data could result in a moderate level of risk to the Client or its affiliates. A reasonable level of security measures should be applied to Private data.
  • Public Data should be classified as Public when the unauthorized disclosure, change or destruction of that data would result in little or no risk to the Client and its affiliates. Examples of Public data include press releases, course information and research publications. Certain level of security measures should be still put in place to prevent unauthorized alteration or destruction of Public data.

  1. Start with developing and formalizing the Data Classification Policy – you can choose the Data Classification Policy Template included in the Template Section of the Policies and Procedure module. A well-defined Data Classification Policy will help your organization to understand how the sensitivity of specific data types is classified and should be handled by employees.

  1. GDPR Role: As Data classification overview is an important assessment of what kind of data you are processing, for each data source, you need to determine if you are the data controller or data processor. Example: in case of HR data source, you are the data controller and not the processor, meaning that different obligations may be imposed on your organization with regard to this type of data.

  1. Labelling: Once your data is classified, you may need to label it appropriately and in accordance with the labelling approach adopted by the managment of data and information, if applicable. Please note that ISO 27001 is not prescriptive on this topic, so you can develop your own controls and measures, that are sufficient for your organization to protect information.

  1. Control Measures: Describe preventive and detective measures that have been adopted for each of the classified sets of data.

  1. Handling of Asset: Describe the manner the asset that relate to the classified data should be handled by the organization and employees. The rules concerning the asset handling process should be also reflected in the HW Security Rules or any other related document.

  1. System Access Overview: Describe the access management overview applied to each of the classified sets of data. The access management rules should be consistent with the requirements addressed by the organization’s access management policy or any other relevant document. In practice, the field should include the roles and functions that have access to the classified information.

  1. Regulatory and Quality Requirements: Describe the regulatory and quality requirements taken into consideration when identifying and classification information.

  1. Data Stored: Describe where the classified information is stored. This could refer to both digital and physical storage.

Field

Example Content

Data source

HR Data *

Collected from / Transferred

information via Team Members (E-mail)

GDPR role

controller

Data Classification

Restricted 

Labelling

NA

Handling of assets

Only CEO has access to all of the data. 

Implemented control  measures

Restricted on Access in MS365

Regulatory, Quality Requirement

GDPR

Data Storage

MS365 in separate folder HR Team Members

System Access Overview

Compleye Online – MS365

Security Impact

Moderate

Confidentiality

High

Integrity

High

Availability

Low

Security policies/procedures

HR-Office procedure and Access Management Procedure

Add new field

[you can add extra fields – if needed]

Data Ownership

Data is owned by Team Members. 

*Examples of Data sources:  HR Data, Source Code, Customer Data, Compliance Documentation, Business Data, Financial Data. 

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.