The recent WikiLeaks exposure of confidential information relating to sensitive activities of numerous governments across the world has created a flurry of debate about free speech and embarrassing “please explains” for many politicians and diplomats around the world. It is a sobering reminder for everyone, in particular businesses, to be wary of what is written and distributed and more importantly, how organizations protect this data.
In such an environment of heightened risk, data classification becomes a fundamental step in trying to protect one of an organization’s most important assets — its information. Data classification involves categorizing information to predefined levels. For each level, organizations must assign differing levels of security controls and limit the number of personnel who can access the information. The auditor should understand the organization’s classification framework and then assess the appropriateness of the control framework supporting that particular level of classification.
Data classification is all about questions, and the responses will vary from organization to organization. The first step in protecting data is to understand its value by asking two fundamental questions.
What are the most valuable pieces of information to the organization right now? Typically, one finds “valuable” information split into two categories: static and transient. Static data typically is the essential information that is important to the short- and long-term operation of the business. For a financial institution, customers’ personal and banking details may be the static data, for example. Transient data is information that is considered critical at a point in time. Consider information related to a public takeover offer for a rival firm: In the days and months leading to an offer or notification, the offer information is considered valuable and is treated with the utmost secrecy; but once the offer is made and the information is generally made available to the public, the offer information does not need to be treated with the same level of value.
What is the organization doing to protect this data? In answering this question, management may rattle off various technological, physical, and procedural steps undertaken to protect “data.” What is generally missing in the thought process are: 1) an understanding of whether these security requirements are suitable protection for the level of data, and 2) recognition that a one-size-fits-all approach does not work in securing data. If a total lockdown approach to an organization’s data is adopted, users will find it hard to access and use information. On the other end of the spectrum, if an “open-door policy” is in place that makes all data available to every user, then the consequences can be detrimental.
Once management understands what are the valuable pieces of information to the organization, a data classification scheme has to be developed to support the organization’s needs, as illustrated in the table below. Auditors can assist management in determining the most cost-effective control framework to support a particular classification during the design phase or assist in the risk assessment process. Further down the track, auditors can assess the effectiveness of the functions of the controls as part of an independent review. It should be noted, though, that auditors can provide advice on the design of the control framework, but they should not be involved in the implementation, as this may have an impact on auditor independence when conducting an assurance review.
|Highly protected||Information is considered to be very sensitive and distribution is limited to a few known people. Examples include special security briefings, strategy papers, and highly sensitive market briefings.|
- Access is restricted to designated individuals only.
- All copies are numbered and recorded.
- Copies can only be made by the originator.
- Secured in locked cabinet when not in use.
- Disposal via shredding and secure bin.
- Disposal of original and copies recorded.
|Sensitive||Confidential material with access restricted to a level of users and known individuals. Examples include:
- Position papers on specific topics.
- Audit committee papers.
- Results of fraud investigations.
- Access restricted to named individuals and groups.
- Copying of documents may be restricted.
- Secured in locked cabinet when not in use.
- Disposal via secure bin.
- Record of disposal of copies may be required.
|Commercial-in-confidence||Information is of a general business nature and is typically produced in day-to-day business operations. Examples include:
- Routine management reports.
- General personnel information.
- Health information.
- Customers’ banking details.
- Access restricted to groups/business areas.
- Copying of documents unlikely to be restricted.
- Clean desk policy.
- Disposal via secure bin.
- Record of disposal of copies not required.
|Public domain||Information suitable for wide public distribution, such as:
- Information on the organization’s websites.
- Media releases.
- Internal general staff information, including newsletters and staff information broadcasts.
- No restriction on access.
- Copying of documents is unrestricted.
- May be left unsecured at any time.
- Disposal via normal paper waste.
- Record of disposal of copies is not required.
- Authorization may be required before public release.
The data classification scheme is a fundamental step in understanding the necessary security controls that are needed to protect an organization’s assets. Once a piece of data is classified, the level of protection and its importance to the organization is immediately known. Critical components that support a successful data classification scheme are training and awareness, and a data classifier.
Training and Awareness
It is important that the data classification matrix is shared across the organization. It should be visible across the organization (via regular communication in staff bulletins, posters on walls across the organization, etc.) and discussed by staff in meetings. Senior management support is crucial. The terms commercial-in-confidence, sensitive, and highly protected should become part of the organization’s language and culture.
The role of formally classifying information becomes an integral function within the information security framework. Typically, this role is performed centrally in risk management or information security groups. This function or group may set the criteria or policies that assist management to classify information. The data classifier may be sought by management to provide advice and guidance. Similarly, this group will aim to classify “like information,” with input and support from the business. For example, all customer information may be classified as “sensitive” as soon as the data enters into the organization’s processes or systems. This will assist operations, as most information entering into the organization will be classified on entry.
It is by exception that individual pieces of data will need to be specifically classified. Internal auditors will need to assess the systems and processes supporting the integrity of the data. Auditors should focus on the exceptions (i.e., the pieces of information that are not typical/standard will be on how the information is categorized).
To support the successful implementation of a data classification program within an organization, the first and most obvious requirement is senior management support. Another essential ingredient that should ensure success includes the clear definition and understanding of the roles involved in the process.
The data owner is usually a senior-level employee who is accountable for one or more sets of the organization’s data. He or she ensure that the appropriate operational processes and procedures are in place to support:
- Classifying data according to the organization’s data classification scheme.
- Assigning components of the data set to data custodians.
- Approving operational policies and procedures to support the data classification scheme (e.g., approving user access management procedures).
This is typically the manager of a business area that holds physical custody of the data. In large organizations, there may be multiple data custodians. Data custodians are responsible for:
- Implementing the appropriate control framework (i.e., physical and system security controls) to protect the data.
- Documenting the local processes and procedures that support the safeguarding of data.
- Understanding the gaps in the process and reporting on these exposures to the data owner.
Data Classification Owner
This central policy-making group/function has overall accountability for defining the framework and its supporting policies and procedures. The group should set the classification parameters that are followed by the rest of the organization. Typical responsibilities include:
- Reviewing and updating the organizational requirements.
- Reporting on the status of risk exposure across the organization.
- Implementing the requirements of the framework, including training and awareness sessions.
- Reviewing and updating the data classification framework.
Every person in the organization is ultimately responsible for data security. In their day-to-day interactions, these individuals are in the best position to identify and prevent security incidents.
Internal auditors can assist the data classification program by conducting specific data classification reviews and by considering this area in the planning of general audits.
Getting Data Under Control
The data classification concept has been around for a long time, but as with things that are considered “part of the furniture,” it is easy to forget the critical importance it has in an organization’s security framework. If an organization does not get this right or if it does not have the appropriate focus, all other activity associated or linked with protecting its data may be put in jeopardy. The auditor can play an integral role by emphasizing the importance of the framework in conversations with all levels of management and by considering this area in all audit reviews.