Building Effective Data Classification and Handling Documents

Building effective policies, standards and guidelines for sensitive data classification and handling requires collaboration between business leaders and the security team. This research advises security and risk management leaders on how to craft their documents and implement them successfully.

Overview

Key Findings

• Understanding the sensitivity of data is a prerequisite of any data security program. However, most organizations have failed to turn that understanding into realistic data classification and handling documents.

• The majority of organizations have complex classification schemes and data-handling documents that are difficult to communicate and implement.

• Lack of business involvement often leads to a disconnect between documents and their operational feasibility. This causes pushback by the business and limits the implementation of those documents.

Recommendations

To craft effective data classification and handling documents, security and risk management leaders tasked with data security should:

• Define data classification responsibilities and handling requirements in separate documents.

• Create a basic classification policy, minimize the number of data classification levels and facilitate user awareness training on data classification.
• Increase policy adherence, maximize compliance rates and reduce data risks by including line of business (LOB) stakeholders in the creation process.

Introduction

Data classification　is fundamental to data security. By grouping data in a limited set of “classes” that have similar compliance and security requirements, classification provides the basis to prioritize security investments and to apply manual and automatic controls to data across an organization. Without it, there would be a poor understanding of risks to data and data would then be subject to potential mismanagement and mistreatment.

Traditional sensitive data classification and handling documents have failed because most organizations:

• Don’t define classifications in a way that can be understood broadly and applied consistently
• Fail to define responsibilities and monitor classification activity for accountability and effectiveness
• Embed requirements that are unreasonable for business units or require uncommitted resources to implement
• Tend to overclassify information, which increases the protection burden for no reason
• Overuse manual classification and underuse automated classification technology to ease the impact on users

As a result, the individuals or systems processing information do not consistently classify, label and enforce controls on every piece of sensitive data they touch. This inconsistency makes classification entirely unreliable to drive and support data security and compliance.

Keeping an eye on the impact of implementation is an important aspect of policy writing, and particularly important for data classification. Organizations need a practical data classification and handling policy that provides a foundation for the business to understand and address its sensitive data requirements.

Analysis

Define Data Classification Responsibilities and Handling Requirements in Separate Documents

To address the full scope of sensitive data classification and handling, it is best to have at most three types of documents:

• Data classification policy — This top-level policy outlines companywide responsibilities for classifying data and includes a basic classification framework. It does not provide specific examples and information-handling guidance.
• Data-handling standards or guidelines — This document provides companywide guidance on how to classify data and defines handling requirements based on data classifications. It is best to have this as a separate document from the classification policy to avoid a complex approval process every time there is a change to classification guidance or protection requirements.
• Departmental data-handling standards or guidelines (optional) — If a department has special and/or unique needs, then it may, with the written approval of the legal department, create its own departmental information-handling guidelines. The format of these departmental guidelines should follow the same format as the information-handling guidelines document, and should not conflict with the information classification policy document.

Characteristics of an effective, sensitive data-handling document include:

• Providing an overview of the classification definitions
• Defining handling requirements based on classification
• Focusing on the common set of requirements based on classification and reference exceptions, rather than overloading the document with them

Create a Basic Classification Policy, Minimize the Number of Data Classification Levels and Facilitate User Awareness Training on Data Classification

Classification is foundational to data security, but it does not protect data by itself. So organizations have a tendency to overload their data classification policies with security requirements without understanding the impact to business processes.

Characteristics of an effective, high-level classification policy include the following:

• It is short, and easy to parse.
• It has no more than three to four classification levels and establishes a basis for the business to understand degrees of sensitivity.
• It is flexible, not draconian. It allows for controlled exceptions and supports decisions that balance protection with business needs.
• It avoids references to technology, departments and data types that age.

A basic classification policy should:

• Provide clear objectives and requirements for the policy and link to the security policy framework and standards that are already in place within the organization
• Contain the classification scheme
• Clearly communicate the responsibility and accountability of relevant roles

This high-level scheme description is adequate for your basic classification policy, but be prepared to provide more extensive guidance as part of your sensitive data-handling guidelines or as a separate procedure to make classification successful. The best methodologies to communicate what data fits in what classifications vary from organization to organization based on prevalent datasets and culture. But all of them include:

• Reference lists of critical or representative documents and/or data types for each classification, organized by department
• A weighted scorecard that yields a classification based on aggregated risk
• Decision trees that yield a classification based on a minimal set of yes-no questions

Lists can be burdensome to maintain and can grow to be difficult to use. However, organizations using lists should focus on key examples and documents that have a history of misclassification, and train their users to match general documents and data to the provided examples.

Increase Policy Adherence by Including LOB Stakeholders in the Creation Process

Data classification and handling control documents affect business processes and cannot be effectively crafted without input and buy-in from the business side of an organization. Authoring such documents under an information security governance framework or, at the very least, involving the business in assessing the impact of the policies can be extremely useful in overcoming cultural pushback from the business.

For organizations new to classification, it will take years to effect cultural change and get the business to fully respond to new classification and handling requirements. Expect the business to push back hard in the beginning, and ensure that you have top-down support or your efforts will be undermined at every step of the process. A phased implementation starting with specific at-risk datasets can help, but every organization will have unique challenges.

Not all issues can be uncovered ahead of time, however. So make sure that the responsibilities — as defined in your policy — include monitoring and lead to sustainable classification processes. If classification is not happening consistently or accurately, the reasons why need to be understood. It might be, for example, that:

• The classification scheme is vague or not well-understood, and that more clarity, guidance or training is needed.
• The classification process is too cumbersome for users, and it should be reviewed or better supported by data classification technologies.
• Certain classifications are avoided by users because associated controls break business processes, and policy changes or additional technology support might be required.