The Importance of Data Classification
By classifying data in accordance with its importance to an organization, appropriate measures can be taken to ensure that data is secured appropriately.
Limitations of Data Classification
Classification, by itself, does not secure data. Policies need to be established and implemented to secure each classification.
Vidder's Data Classification Recommendations
Vidder recommends that data be categorized into four classifications: critical, personal, confidential, and public.
Critical data is data whose unauthorized disclosure could place the company at a severe competitive disadvantage or cause the company severe financial, legal or reputation damage. This type of data should require multifactor authentication to access it and be encrypted at rest using either file encryption or transparent database encryption (full disk encryption is not sufficient). In addition, it should also be encrypted in motion using either IPsec or SSL VPNs to prevent malicious users from knowing about user interaction with the filenames or metadata of the files. All access to the files (or access to the keys to the files) should be logged for audit purposes.
Personal data is data that is either private (such as health records, credit card numbers, etc.) or personally identifiable (such as home contact information, social security numbers, etc.). This type of data should be locked down and encrypted in the same way as highly confidential data.
Confidential data is data whose unauthorized disclosure could place the company at a slight competitive disadvantage or cause the company slight financial, legal or reputation damage. Confidential data should be secured by conventional file server access controls such as strong passwords and Kerberos tokens.
Public data is data that can be shared with the public. This type of data should be secured in the same way as confidential data to prevent unauthorized changes to it.