CONTACT US
Contoural - Data Security Classification Policy

Data Security Classification Policy

STRATEGIC FOUNDATIONAL EXECUTION MANAGEMENT
Maturity
Assessment &
Strategic
Roadmap 		Records/Data Retention
Policy & Schedule Data Security
Classification Policy 		AI
Governance Privacy
Program 		Discovery
Response &
Legal
Hold 		Governance
Processes
and
Procedures 		Data
Placement &
Automation 		Behavior
Change
Management
& Training 		Legacy
Document &
Data Disposition 		Ongoing
Management &
Monitoring
Information Governance Organizational Development
Data Security Classification Policy Development or Update

Provides corporate direction regarding information security, including the associated privacy and security controls. It also includes policy direction regarding additional classifications and controls that are needed to meet industry-specific privacy rules, or to comply with laws and regulations in specific geographic locations.

Data Classification Standard Creation

Defines levels of security classification for records and information, and for the repositories (systems and media) that contain them. The standard also specifies the set of data-security controls that apply to defined activities that occur over the life cycle of the data.

Unified Enterprise Security Standards
Incorporates wide-ranging security requirements including global privacy, industry-specific requirements, and internal confidential, trade secrets and intellectual property in a single, enterprise-wide standard.
User-Friendly Content Classification
Defines a few simple, easy-to-understand category labels, with multiple examples for each category – to clarify the meaning of the category, and to help employees to apply the classification to a variety of content types.
Universal Content Security Framework
Provides a global, baseline set security classification that applies to all – or nearly all – content types and repositories. Also specifies the minimum set of controls that employees and automated processes must apply to the data in each security classification during information management activities (including identification, storage, retrieval, duplication, transportation, archiving, and deletion).
Automated Sensitivity Organization
Organized and designed to facilitate automated classification of sensitive information.
Governance Foundation
Serves as a key component of overall Information Governance initiative.

Top Three Data Security Classification Policy Resources

Creating and Implementing a Data Security Classification Standard
Read more
Click Here For More Resources
More Resources

Essential Data Security Classification Questions

  • What types of sensitive information do we access, transmit, store and manage? This can include personal information, corporate confidential, trade secrets, financial and other types of sensitive information.
  • How do we assess different levels of risk, and consider the potential impacts of a security breach or a control failure?
  • How do we decide what types of controls should be applied to each type of content, repository and data-management activity?
  • How should we designate particular components or controls as required (mandatory) or recommended -- based on the types of information, the access requirements, the level of risk, and the potential impact of a security breach or control failure?
  • How do we ensure security controls are appropriate for the level of risk and the potential impacts, and are reasonable in terms of the organization’s size and resources?
  • How do we create an ongoing process for identifying, classifying, improving and implementing data security over time?

Contoural’s Approach for Data Security Classification Policy Service

Up to 10% of an organization’s data houses sensitive information, encompassing personal, financial, and business data. Contoural’s Service covers legal requirements, privacy, and corporate confidentiality, streamlining policies for comprehensive implementation and automation
Addressing Sensitive Information Everywhere
Addressing Data Security Gaps
Organizations often assume sensitive data resides only in secure repositories. Yet, in controlled settings, leaks to unsecure areas occur. Data might shift for convenience, storage limits, or transitory reasons, posing breach risks due to unsecured access. The risk magnifies with increasing data volume and potential unsecured locations.
Contoural’s Policy Development
Contoural’s service sets universal standards applicable to all media and repositories, including unstructured and structured data. It defines security levels for records, repositories, and content. Offering global baseline classifications, it also outlines minimum data-security controls for each classification during data’s lifecycle, covering identification to deletion.
Protection Against All Types of Breaches
What is Data Breaching?
A data breach involves unauthorized access, theft, or misuse of sensitive information by insiders, often employees with legitimate access, resulting in leaks or improper copying. Inadvertent leaks occur when sensitive data is stored insecurely, leading to harm even if not misused.
Rising Threats to Data Repositories
Sensitive information is pervasive within organizations, even as secure repositories are established. However, cybercriminals now target structured and unstructured sources, hacking corporate networks for financial gain, particularly focusing on less guarded repositories. Some of these include:
  • Work-from-home employees using less secure systems.
  • Moving information to insecure areas, such as file shares and email PST files, that lack appropriate access controls.
  • Frequent and casual interactions among customers, partners, government agencies, and employees.
  • The insecure handling and disposition of hard copy, removable media, retired PCs, laptops, systems, and servers.
Meeting Legal and Regulatory Security Requirements
Addressing Legal And Regulatory Demands

Most organizations face multiple sets of information security requirements. These include data security requirements imposed by industry-specific regulations, local jurisdictions, contract provisions, or special situations. Examples of such requirements include:

  • European Union Data Protection Requirements
  • California, Virginia and other US State Privacy Rules
  • State of New York Department of Financial Services Cybersecurity Requirements
  • Rule 17a-4, Investment Company Act of 1940 and other SEC requirements
  • Requirements to track and report any disclosures of PHI under the HIPAA
  • The HIPAA Breach Notification Rule (45 CFR 164.400-414)
Unified Data Security Approach
Managing dual security standards for different data subsets is complex. Opting for a single, comprehensive Data Security Classification Policy is more efficient. It covers all requirements, including industry-specific demands, using a global Data Classification Standard. The policy also accounts for exceptions and references additional standards and procedures.
Aligning Data Classification with Governance
Data Classification and Governance Integration
The design and implementation of the Data Classification Policy and the Data Classification Standard should be closely coordinated and linked with the other components of the overall IG program and roadmap, including:
  • Records Retention Policy and Schedule
  • Privacy Data Retention Policy
  • Legal Hold Policy and Processes
  • Data Placement and Automation Strategy
  • Repository-Specific File Plans
  • Information Systems Design and Implementation
  • Metrics, Reporting, Audit, and Verification
Effective Data Security Classification Policies integrate with these Information Governance activities.
Identifies Major Goals of Data Security
A good framework, however, does provide useful input for construction of a Data Classification Standard in several ways.
Contoural’s approach is to choose a set of data security classification names that are meaningful in terms of the kinds of information the company keeps and the way employees work.
Specifies Security for Activities
Defining Security Measures for Actions
The Data Security Classification should specify security controls for identified activities that could potentially affect the confidentiality, integrity, or availability of the documents or data. For example, the resulting list of activity types might include the following:
  • Information Handling/Retrieval/Output
  • Information Sharing
  • Shipping/Transportation
  • Data Storage
  • Disposal/Destruction
  • Security Labeling
The Data Security Classification must specify appropriate security controls for documents and data in different security classifications. The applicable controls will depend on the activity type, and also on the capabilities of the information system or the characteristics of the data storage medium or device.
Avoids Specifying The Exact Technologies That Must Be Used
A good framework, however, avoids specifying the exact technologies that must be used when implementing a particular control capability. To further identify the available controls, an organization’s information security team can provide a complementary list that reflects the actual capabilities and limitations of current and planned information systems. For example, the following figure illustrates the types of controls that might be applicable to the “Data Storage” activity, when the data is stored on removable media.
Integrates into Overall Information Governance Roadmap
Part of Information Governance Strategy
Implementation of the DCS should be integrated into the overall IG roadmap, including the following key steps.
  • Identify which systems contain which classes of information through business outreach and/or information classification tools (scan the content), and prepare a system map
  • Assess the current control capabilities in each system or media type, as illustrated below
  • Determine whether it is best to keep information in existing systems, or to restrict/move more-controlled classes of information to designated repositories that can apply the required controls
  • Create a gap analysis of current vs. needed controls
  • Prioritize the controls into the IG roadmap
  • Implement the controls
  • Monitor the results
Returning to the example of portable media on which employees could be receiving or storing sensitive information, the following figure illustrates an assessment of current control capabilities for a particular enterprise.
Avoids Data Classification Pitfalls
Navigating Classification Challenges
Some of the data classification pitfalls that should be avoided are:
  • Relying on narrowly defined or inconsistent data security classification policies
  • Defining more than 4 data security classification names
  • Selecting names that are confusingly similar or very abstract, or omitting examples that illustrate each classification
  • Failing to specify the required controls for every system, content and media type that contains sensitive information, including:
  • Structured Data
  • Unstructured and Semi-Structured Data Repositories
  • Messaging Systems
  • Portable Devices and Storage Media
  • Backup Tapes (During Storage and Transportation)
  • Inadequate implementation of the required controls
The biggest pitfall is failing to move forward with implementation, after completing the data classification policy and standard

Join us for our April webinar, "Information Governance 101."

REGISTER