Because businesses and organizations collect many different types of information, to help quantify their cybersecurity risk exposures, companies should first understand the types of information they are receiving, storing, and sharing. This information can range in complexity from a simple inventory of products to personal information, including private health and financial records. Personal and customer information may be subject to federal, state, and local regulations, Payment Card Industry standards, or perhaps foreign privacy standards.
While having a data security policy is the first step to help protect your data, the next logical step is to discover all the data you handle during the course of business. By completing this exercise, it helps you classify it based on its confidentiality to determine who should be authorized to access it and to determine the level of data security needed.
What Kind of Data Are You Handling?
Here is a three-step process that can help companies understand and classify their various data assets.
Step 1: Data Inventory
Determine the type of data you store.
- Personally Identifiable Information:
Often referred to as PII, this information may include such things as first and last names, home or business addresses, email addresses, credit card, and bank account numbers, taxpayer-identification numbers, medical records and Social Security numbers. It also may include gender, age, date of birth, city of birth or residence, driver’s license number, and phone numbers.
- Customer information:
Customer data may include payment information such as payment card numbers and verification codes, billing and shipping addresses, email addresses, phone numbers, and purchasing history, among other data.
- Intellectual property:
Company IP may include proprietary and sensitive business information such as financial records, product designs, human resource records, and internal correspondence and reports. It also can consist of the intellectual property of others with whom you have a business relationship, including customers and vendors.
Step 2: Data Classification
Classify the data and establish access privileges based on type and level of confidentiality
Restricted (highly sensitive):
Restricted classification applies to the most sensitive business information intended strictly for use within your company. Its unauthorized disclosure could harm your company, business partners, vendors, and customers in the short and long term.
Confidential classification applies to information about or belonging to customers, employees, and information that your company is obligated to protect. Confidential can also refer to information about your own company
Internal use only:
Internal use only classification applies to sensitive information that is generally accessible by a broad domestic audience intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful to your company, the unlawful disclosure of the information is generally not expected to impact your company, employees, business partners, vendors, and the like.
Information that is generally available or intended for distribution outside your company
Step 3: Periodic Data Reassessments
Periodically reviews of classification of the data and who has permission to access it. An information retention schedule should include guidance on the types of information, the retention period, and procedures for disposing or destruction of unneeded data. Audit all data and information that you store to be sure it is appropriately classified,