Posted by Tim Luzadder, TCC Director, Security Services
Data Classification is an integral part of a corporate security strategy. What it means is a defined process for categorizing data based on specific criteria so that the data can be protected appropriately and yet available for use as necessary.
The three most crucial elements and objectives to information security are: Confidentiality, Integrity, and Availability. The gradations of confidentiality are the measures taken to prevent unauthorized persons from accessing data. Access to data must be restricted to people who have reason and have been granted the right to view. Maintaining Integrity includes ensuring that data remains accurate, reliable and whole throughout its entire life-cycle. In other words, data must not change, while it is being stored or while it is being transmitted, by accidental or malicious means. Availability means ensuring that the hardware, software and telecommunications equipment used to store, process and display that data be kept in running order. For information to have a purpose, it must be accessible when needed.
Using industry standards, data is normally ranked as Low, Medium and High risk for company exposure. Low risk are information assets that would cause no harm if seen in public; High risk would leave the company exposed to legal actions at the worst end and bad publicity at the lower end. Medium risk would fall into an area in between. You must assess the volumes of data your company has generated and protect them appropriately.
To defend your data, there are really only three methods — controlling access, inspecting data usage patterns for abuse, and encrypting data to devalue it in the event that it is stolen. (There is a fourth and that is to dispose of data when the organization no longer needs it, but we are speaking of how to protect it while in use.) Only vetted personnel should have access to the devices that contain the most sensitive data. Organizations should employ automated tools that monitor data stores and access activity. Data should be encrypted in storage and while being transmitted.
To learn more about TCC’s Security Services please visit our website http://www.e-tcc.com/security-services.