Classify the resources to be managed according to their privacy requirements
Knowing how to classify data is essential given today's cyber threats. Classifying data is essential if you want to know how to protect it and prevent security incidents in your organisation.
Determining data classification criteria depends on your industry and the type of data your organisation collects, uses, stores, processes and transmits. For healthcare organisations, for example, this could be patient names, dates of birth, social security numbers, medical and medical history data or prescription information. For financial services organisations, it could be credit scores, payment history or loan information.
Regardless of the type of data, there are some key considerations to make when classifying data, including:
What data does your company collect from customers and suppliers?
What data does your company create?
What is the level of sensitivity of the data?
Who needs access to the data?
Depending on the sensitivity of the data held, there must be different levels of classification, which determine who has access to the data and how long the data must be kept. In general, there are four classifications for data: public use, internal use only, confidential and restricted.
Public data: This type of data is freely accessible to the public (i.e. all employees/corporate staff). It can be freely used, reused and redistributed without repercussions. An example would be first names and surnames, job descriptions or press releases.
Internal data only: this type of data is strictly accessible to internal company personnel or internal employees who are granted access. This could include internal-only memos or other communications, business plans, etc.
Restricted data: Access to confidential data requires specific authorisation and/or clearance. This may include social security numbers, cardholder data, merger and acquisition documents. Usually, this data is protected by laws such as HIPAA and PCI DSS.
Confidential Data: confidential data includes data that, if compromised or accessed without authorisation, could result in criminal charges and large legal penalties or cause irreparable damage to the company. Examples of confidential data could include proprietary information or research and data protected by national or international regulations.