Planning for the security of your data is one of the most proactive and essential steps that need to be taken for any organization that wants to survive and grow. Two of the first steps are to define and classify your data and what protections need to be in place. Without taking these first steps, you will likely underestimate or overestimate what is required, resulting in higher than needed expenditures or greater risk.
What are data definition and classification?
Data definition is the process of finding all the data your organization needs and uses periodically, then giving it a value for your organization. In other words, you find all the data types you use and then define the type of data. Some examples might be:
- Credit card or financial institution information is defined as personal credit information (PCI)
- Health information would be personal health information (PHI)
- Proprietary Information that gives your company a competitive advantage would be intellectual property (IP)
There are many other types of data, but those examples give you an idea of what we are discussing.
Classification is when you further define the VALUE of the data to your organization or its original providers, giving you a lot of information about how you must protect that data.
Let’s use some examples to show you how this might work. Three different professions/jobs and three different types of information.
Professions: physician, DMV drivers’ licensing clerk, and car salesperson.
Information types: Heart attack/stroke history, type of driver’s license requested, vehicle make, model, and VIN.
Knowing your vascular history is essential for a physician and should be included in your medical records. Without it, they may make incorrect decisions about your medical prognoses or treatments. Your driver’s license and vehicle information have no pertinence to their work and shouldn’t be collected.
The DMV employee has little or no need to know your vascular history or vehicle information but does need to know what type of license you are applying for as it affects what testing and background information they may need to collect.
The salesperson does not need your medical history, only needs to know you have a license (and may not even need that information) but would likely need to see the trade-in information to process a purchase for you.
As you can see, that data definition component tells you what you need to collect and hold onto while also giving insight into what you could eliminate that isn’t strictly necessary.
Why don’t we classify that information based on who has collected it and what type of information it is?
- The physician collected your health information, which is PHI. This information is of high value to them and you and is protected under laws and regulations nationally and locally.
- Therefore, this information should be classified as “Protected,” with all the security that implies.
- The license type requested should be considered low or “Public” information unless it is directly linked to other (more highly) protected information.
- Protecting this information is less of a priority as long as it doesn’t have that higher connection to credit or financial information or include personally identifiable information (PII) such as your address.
- Vehicle information is another type that should have a low or “Public” sensitivity rating.
- What a vehicle is and its VIN, make, and model are all publicly available as anyone walking by the vehicle can quickly and easily discover it. Other than for car thieves, there is little or no use in this information outside of a restricted subset of needs.
It may seem simple in contextual situations, but definition and classification can be a massive undertaking for many companies. A company like Google, or a medical practice with thousands of clients, might have thousands of different data types that need to be examined. Possibly even millions, depending on what they collect and their data use. In this case, it might help to use a much broader definition to begin, then work your way down the list to ensure everything is covered. How your business collects data on a process-by-process basis can make this discovery and classification easier.
An example of this might be to define all medically relevant information under the heading “Personal Health Information.” This overall heading means that it must be classified as “Protected” under the law, and you can cater your security measures to that classification.
How will this Affect You?
Data definition and classification are a must for anyone that collects, works with, and stores data. This is true because of laws and regulations and because it is simply good practice. The process will take time, effort, and a financial commitment, so plan for all those when you prepare to accomplish this task.
When working on the task itself, be prepared to make some decisions about whether you should or could get rid of any information being collected that isn’t necessary to day-to-day operations. This can significantly reduce the overall expense of the process and save you potential risks and problems down the road. If you don’t need to know that your patient has a dog, why would you collect that information?
With the outcome of this process, you will find that your cybersecurity program is much more protective and better suited to your actual needs than that “mud at the wall” methodology you used before.
What should you do
Start by discovering all the data you collect, how it is used, by whom, and how long it is of value. Once you know these things, you can make an informed decision about each piece of data, its value, and how it should be protected. You will also have an insight into any data that might become important down the road or might not retain its value over an extended period.
Expending the effort from the beginning to understand these points will allow you to save money, show you are properly caring for information provided by your clients/patients, and will make maintaining proper security in the future more cost-effective and efficient. All of this is for the betterment of your organization and the fulfillment of its goals.
Northstarr Recommendations
Don’t let your organization fail due to improper management of its data and cybersecurity! If you need help discovering the data you use, defining it, assigning proper classifications, and developing a security plan for protecting it, Northstarr professionals are here to help!
To find out more about how we can help you, visit our website or give us a call at
(888) 767-2210 to set up an appointment.
We look forward to meeting you!