We come in contact with all kinds of information each day, but chances are that we don’t think too much about how that info should be classified.
We see, use, and store a variety of data in multiple formats. We give our credit cards to vendors at street festivals, but don’t consider whether they’re compliant with PCI-DSS. We pull up giant spreadsheets of sensitive customer information, but don’t consider the consequences of Bob watching over our shoulder. We file away our family’s financial documents in a cheap cabinet, but don’t consider the possibility of a break-in.
Data classification is a means to ensuring that all this sensitive information is protected. But to most of us, “data classification” sounds like something reserved for the military: classified versus unclassified, secret versus top secret. It seems complex, and doesn’t fit in with our busy lives. Let me ask you one question, though…
How can you protect information — of any kind, personal or work-related — unless you know exactly what it is that you’re trying to protect?
Data classification is essential for handling information, for knowing which kinds take a little extra effort to safeguard.
Data Classification at Home
Think for a moment about all the information that resides inside your home. Consider all devices and the different varieties of media and format. Do you know what of it is already available to anyone and what of it you’d rather keep to yourself?
For personal purposes, data classification can generally be restricted to two different realms: public and private. It’s up to you whether you want to make a system that is more complex than that for classifying your own information.
Public Personal Information
Public information can be legally accessed by anyone at any time. It might as well be posted on a social media site for the world to see.
Try searching public records to find out how much you can discover about yourself for free. You might be surprised! Legitimate background checks can often uncover enough details about an individual for an identity theft. The following information is believed by many to be private, but (for the most part) is actually public:
- Marriage license & divorce
- Birth & death certificates
- Real estate records
- Criminal records & court documents
- User IDs
Private Personal Information
Private information is fairly straightforward. In general, you don’t want anyone seeing this info without explicit approval first. This is made up in large part by all of your (and your family’s) personally identifiable information (PII) and protected health information (PHI). Although some PII is contained in public records, there’s plenty that is not that you should be fiercely protecting.
Location, Location, Location
Once you have an idea of what information to protect from disclosure, it’s important that you take note of where this data lives. This seems simple enough, but organizations constantly struggle with this fundamental aspect of data classification. Consider the following storage locations and the info they might contain:
- External storage (HD & USB)
- Desktop, laptop, smartphone
- Home network
- Safety deposit box
- The cloud
- Your brain
Now think about all the sensitive information that resides in multiple locations. See? It can get complicated quick. Still, always ask yourself: What data do I have and where is it stored or transmitted?
No matter what location you’re working from or what device you’re using to do that work, data classification is vital. Following data classification policies and procedures is core to protecting your organization from a number of possible incidents including theft, espionage, breaches, and accidents. No one wants their name in the headlines for the latest leak!
Businesses of all sizes can be targeted by criminals or other online adversaries. Employees should always be on guard against potential threats to information, systems, and business operations. It’s important to know which company data is more sensitive than other data, and in turn how to protect it.
In addition, many companies are obligated to follow mandated privacy and security regulations such as HIPAA, PCI-DSS, FERPA, GLBA and more. If you need a refresher, please ask for assistance. These greatly affect how you classify data and what practices you should have in place for its security.
The amount of personal data that can be found by others is already largely controlled by you, the user. Remember: less is more when it comes to privacy.
When it comes to matters at work, always follow policy. But make sure you do know what policies are in place!
Latest posts by Kayley Melton (see all)
- Does Sexism Still Exist in the Tech World? - March 10, 2017
- What is Data Classification? Why is it Important? - November 16, 2016
- I’m not a doctor; I don’t need to pay attention to HIPAA. Right? - November 10, 2016