Data Classification
What is data classification?
Data classification is a system whereby data is tagged as per its type, sensitivity, confidentiality, specialty, and utilization.
In addition, it helps assess the value of data, determines whether data is under threat or not, and executes checks to mitigate risks. Moreover, data classification provides assistance for organizations in following compliance regulations such as PCI DSS, KVKK (Personal Data Protection Law of Türkiye), GDPR, ISO 27001, and the Digital Transformation Office of Türkiye.
Sensitivity Levels
Data Sensitivity Levels
Data is classified as per sensitivity levels. To epitomize; low, medium, and high adjectives are used to illustrate sensitivity.
High sensitivity data
It can radically affect an organization or individuals unfavorably in case of data being removed in an unauthorized transaction or being compromised. Financial records, intellectual property, and authentication data can be given as an example of high-sensitivity data.
Medium sensitivity data
It is merely for internal use. It does not produce a catastrophic effect on an organization or individuals if data is compromised or removed. Non-confidential e-mails and documents can be given as an example of medium sensitivity data.
Low sensitivity data
It is for common use with no privacy. Public website content can be given as an example of low-sensitivity data.
Classification types
Data Classification Types
Data classification could be executed as per content, context, and user selection preferences.
Content-based classification
01
It reviews documents and files and classifies.
Context-based classification
02
It classifies documents according to metadata such as the application that has created the files (e.g., accounting software), the person who has created the files (e.g., finance personnel), and the location where files have been created or modified (e.g., finance or legal departments).
User-based classification
03
It involves classification by a specialist who adopts his/her manual judgment during the process. Individuals who work with documents can set their sensitivity level. This process could be done during preparation, after editing and/or reviewing, or before publication.
Data Discovery
In order to classify data, one should be aware of its location, volume, and context. Most modern organizations store a vast mass of data which could be disseminated among multiple repositories:
Databases deployed internally or in the cloud
Big data platforms: Cloud storage services like Google Documents, and Dropbox.
Files such as office use, PDFs, and e-mails.
* An accurate and thorough data discovery shall be executed before data classification. Automated tools could help discover sensitive data at a massive scope.
Policy formulation
Formulation of Data Classification Policy
A data classification policy designates who is in charge of data classification. Commonly, this designation process is executed by defining the program area designee who is in charge of the classification of data for different programs and organizational departments.
A policy should address the following questions:
By whom, and by which organization or software is data handled?
Which organizational department is in possession of details regarding content and context of information?
Who is accountable for the integrity and accuracy of data?
Where is the information stored?
Is the information in compliance with any regulations or compliance standards?
* Information producers, specialists, and data correctness experts can be in charge of data classification.
In addition, a policy can set the data classification process, e.g., determining of frequency of data classification, specification of which classification technique being applicable for data, and which technical tools being suitable for data classification. Data classification policy is a part of general information security policy which establishes a guide for the protection of sensitive data.