Designed to ensure that data is marked in a way that allows only people with appropriate permission to access it.
Classification should be designed to ensure that data is marked in a way that allows only people with appropriate permission to access it. Classification levels and determinations must be well documented and communicated to all people creating, accessing, moving or deleting the data.
How the classification is determined is down to the creating organisation, however, consideration should be paid to the following:
- Sensitivity to unauthorised disclosure
- Legal requirements
Classification of data can be done manually (through the application of watermarks, digital stamps, headers/footers, email signatures etc) more suitably, through a tool that the user must interact with. Such tools mark the metadata with the assigned classification. This classification can then be used to apply handling rules based on company policy.
Some of the other benefits of a good classification scheme are:
- More effective risk management
- Help to meet legal eDiscovery requirements
- Help to meet other regulatory requirements
- Optimise the effectiveness of other security controls such as Data Loss Prevention and Encryption
- Improved user security awareness
Data classification most commonly applies to unstructured data and email systems but structured data should not be overlooked. Classification tools should integrate with productivity applications like Microsoft Office. This will enforce marking at the time of creation or modification to a file or email.