NIST Privacy Framework : Our Essential Data Protection Guide


8 Steps Security Leaders Follow to Classify Sensitive Data

Data classification assigns a level of sensitivity to each piece of information within your enterprise. This makes it easier to locate and retrieve potential security risks before the bad actors do. Those who choose not to classify their data, put their faith in an imperfect security system. Security leaders must consider these 8 steps when classifying their data.

Step 1: Treat Sensitive Data Differently

Every organization creates, stores, and manages lots of information, including sensitive data. Information such as holiday appointments in calendars are not sensitive. But a spreadsheet with employee Social Security numbers and driver’s license numbers are highly sensitive. Both are buried in the enterprise. Both are not created equal.

To protect the sensitive data, it must be located, then classified. This process should include the assigning of a level of sensitivity to each piece of information. By treating sensitive data differently, it becomes easier to locate, retrieve and protect.

Step 2: Decide What Sensitive Data Means

Each business will define sensitive data differently. To
complicate matters, various state and federal regulations define sensitivity
differently. For example:

  • HIPAA regulation has up to 18 identifiers of
    sensitive data that must be protected.
  • PCI DSS regulation has one identifier, which is
    cardholder data.
  • CIA triad (confidentiality, integrity, and
    availability) defines which data is and isn’t sensitive at a high level.

Step 3: Define the Data Classification Framework

The potential security exposure of a piece of data can vary. As the exposure level increases, its classification must reflect this. By mirroring exposure with classification standards, security leaders can better trust their chosen framework.

Step 4: Go Beyond Regulatory Compliance

Some data that is classified as sensitive will be unique to an organization. Others that are defined as sensitive by regulations are universal to all organizations. In this case, regulatory compliance is essential. But compliance does not equal security. To protect all sensitive data, security leaders must look beyond the data covered by regulations and security policies. They must also look at the company-specific sensitive data.

Step 5: Shrink the Sensitive Data Footprint

The Sony Pictures data breach in 2014 makes a good case for
shrinking the data footprint. The scale of the data footprint was massive,
making it impossible to protect.

  • 601 files containing Social Security numbers
  • 3,000+ Social Security numbers that appeared
    more than 100 times.

Such a proliferation of sensitive information makes it
extremely difficult to prevent breaches. However, once the sensitive data footprint
is reduced, it’s easier to protect.

Step 6: Search Every Enterprise-owned Device

Security leaders need to assure all hardware does not contain
unprotected sensitive information. That means a search must be conducted wherever
employees are storing data. This includes cloud services and in shared spaced
like file servers, in databases and even images. Beware of “dark data,” which
is operational data that’s no longer being used. These potential blind spots
must be found and eliminated.

Step 7: Implement Automated, Persistent Classification

Educating data producers, consumers and owners about their
roles and responsibilities in protecting sensitive data and empowering them to
help reduce your exposure is critical to shrinking your footprint. Those who
produce data must be educated on how to protect their sensitive data. This
means the following:

  • Communicate Roles and responsibilities clearly
    to the team
  • Add unique identifies to file metadata to indicate
  • Automate the process such that as new data gets
    created, real time-monitoring automates the classification process.
  • Make the data classification process a
    persistent and real-time.

Step 8: Reduce the Risk of Sensitive Data Exposure

Sensitive data classification is key to reducing the
sensitive data footprint. When doing so, the risk of having that sensitive
information exposed is greatly reduced. This sensitive data management program should
provide clarify in the following ways:

  • Know what to secure and what is public
  • Right-size controls by setting data
    classification levels. Don’t apply a one-size-fits-all strategy for access and
  • Minimize the volume of sensitive data. Delete
    what is not needed and reduce the number of locations where the data is stored
    to protect confidentiality.
  • Implement a clear Data Classification Policy
  • Educate employees about their roles
  • Automate data classification

Data classification makes it easier to locate and retrieve potential security risks before a breach will occur. To do nothing and not classify the data, the risk of security exposure greatly increases. Outlined above are the 8 steps Security Leaders must follow to classify and secure their data.

See how Spirion follows the 8 steps
to classify and protect sensitive data. Schedule a customized risk assessment
with one of our data security experts to see our data protection solutions in