I was recently in a situation where I had to explain why our information security group had made strict requirements for one project team and much lesser requirements for another project team. Cries of “It's unfair”, “You’re just picking on us” and "You're singling us out" were heard in the isles when the teams read the requirements.
Requirements are simply based on the type of information that is being handled, or as it is known in the security industry, its “Data Classification”. Here are some examples of possible data classifications that a company may have:
-
Some information can be considered “Public”. For example: the annual statement of a company, directions to their Home Office, advertising, statements on websites and even this Blog post. This information is targeted at people regardless of the company they work for and can’t really get lost or stolen because you freely give it away. You really don't really even need to try to protect this information.
-
Other information can be considered “Internal Use Only”. For example, the employee phone number directory and management reporting hierarchy, your vendor list and their contact numbers, specific processes that you use for responding and resolving incidents, etc… You don’t want this information all over the place because it could weaken internal controls or could be used by a salesperson or competitor for a slight advantage. If it is lost, it is more of an inconvenience or embarrassment rather than a serious, regulatory or legal issue. You should place some simple controls around this information.
-
Some information is specifically identified in regulations and laws. This information is called “Customer Privacy Information” or CPI and contains things like SSN, Drivers License Number, Account number and PIN, etc… This information, if lost or stolen, will result in a company releasing a Privacy Breach notification and executing all the steps required by the State where the customers reside. This information requires strict protection, monitoring and response.
-
Finally, some information can be considered “Confidential”. This type of information includes things like employee salaries, merger and acquisition plans, company intellectual property, etc… If this information was lost or stolen, your company would realize a severe impact. This information also requires strict protections and monitoring.
Just this brief list of four possible data classifications makes it easy to see that if a project is implementing a system that automates the tracking of internal work requests that have a classification of “Internal Use Only”, they will have significantly different requirements than a project has been proposed to expose employee benefits information over the Internet classified as “Customer Privacy Information”.
What controls are appropriate for each data classification? Who should perform the classification? What is the classification for aggregate information? These are topics for a future posts. But remember that you don't need to protect all information the same way.
Comments