The easy answer to when you should classify new data is as soon as it is created. However, as data moves through each stage of the lifecycle, it is important to evaluate and update its classification, as necessary. As the data classification process is likely new to your organization, there will be data in each of these stages and it is important to classify data regardless of which stage of the data lifecycle it is in:
- Upon Creation: The time when sensitive data is first generated. Sensitive data may be generated by machines, people, or automated processes.
- Use: Utilizing the data for the purpose for which it was created. This period of the lifecycle may recur several times.
- Storage: After every use, data is stored on media. Sensitive data should be stored in a protected manner such as with access controls and encryption.
- Sharing and Copying: Information is often valuable only if it can be shared with others. Examples of sharing and copying may include emailing an attachment, sharing a Google doc, syncing to a cloud provider, backing up a database, opening a web page in a browser (which creates a local cache), sharing the information online, or sharing a screen online.
- Transformation: Transformation occurs whenever the data is changed from one state to another. For example, a database might be displayed on a webpage, or a spreadsheet may be printed or saved as a PDF file. A different type of transformation occurs when data is summarized or queried, such as when accounting information is summarized into reports, or a user creates a pivot table.
- Enrichment and Re-use: When data sources are combined to create additional value, and re-used for other purposes. Examples of enrichment might include cross-referencing customer lists with sales data; combining infrastructure data with other map information; performing advanced analytics; or indexing files for later searching.
- Deletion/destruction: Deletion is when the data is not immediately destroyed, but made available for future over-writing by a computer. In contrast, destruction is any method that renders the data completely unreadable, including full physical or digital redaction, physical destruction of the storage media, or complete overwriting. Simply hitting the “delete” key and emptying the recycle bin won’t completely remove personal information from your hard drive. Files can sometimes be undeleted or recovered until you proverbially “wipe” the drive. This wiping is called “shredding” the file, and typically requires at least a three-step deletion process whereby each byte is individually overwritten.
- Old Forgotten Data: Because data storage is plentiful and cheap, most data is stored and forgotten. Old, forgotten data is perhaps the most at-risk phase for data, because it often lacks adequate controls and protections.
Old Forgotten Data leads to large SSN breach
When former Florida Governor Jeb Bush announced his candidacy for President, his campaign made public all of the emails he sent and received during his time in office. One of those emails, sent by an employee of Florida’s Development Disabilities Program to the Governor, included a PowerPoint presentation with a single slide displaying a chart depicting the district level trends for a waitlist. When viewing this slide, there seemed to be no concern; however, that chart was pasted from Excel into PowerPoint as a “Microsoft Office Excel Worksheet Object,” which embedded the entire spreadsheet into the presentation. Within the spreadsheet were 12,564 Names, Social Security Numbers, and Dates of Birth of Florida residents. While the goal of transparency was noble, the results were disastrous. Because the data was never properly classified, it was used, shared, transformed and re-used with no regard to the highly sensitive information contained within.