Learn about the best practices for data classification

The number of data processed worldwide is growing rapidly. To realise the scale we're talking about, look at your computer and see how many files and documents are on it, and then multiply it by the billions of devices that work around the world. Ensuring the security of these documents is a global challenge, especially for the companies and institutions that collect most of them. To do this effectively, it is necessary to correctly classify the data, which will allow you to avoid financial, operational or organisational losses. Classification of documents is one of the administrative safeguards resulting from the ISO/IEC 27001 standard. How do you do this, and what can you gain from it?

One binder per company

Let us just take an example. Twenty people are working in a medium-sized company that deals with accounting services. They send all documents related to the ongoing cases in one binder. To make it easier, each employee has access to it, and new records are added every day. If there is no proper order, marking, or division into years, months, customers or employees in the binder, it will immediately become such a mess that no one can find anything. Documents will be taken out and translated, and some will probably never return. Hold on. After all, we live in the digital age. However, the situation is identical in the case of electronic files collected on company servers, the cloud, employee equipment or external media. Suppose the organisation does not know what kind of documents it processes, who collects them, what they concern, whether they are internal or external, and how valuable they are to the company. In that case, the ongoing disorganisation will cause a huge mess, which may lead to an incident related to sharing information with persons/entities who are not authorised, just like one binder.

Data classification process

To begin classifying documents in the company, you should first ask yourself a few questions. What data is collected? Where is it located? Who has it, and who should have access to it? Who owns it? How is it distributed? Is it intended for internal use, or can it leave the organisation? The main advantage of classifying documents is determining liability and data owners, which allows for data processing under the law and, consequently, their appropriate protection.

Knowledge of the value and sensitivity of documents may reduce security breaches and thus maintain standards in accordance with the GDPR and ISO/IEC 27001. An overview of the company's local and cloud locations, which contain data in various formats (e.g. image files, .pdf, Excel or PowerPoint files, .doc), is necessary to effectively carry out the process of classifying resources. Recommendations on how to organise data are suggested by the ISO/IEC 27001 standard, which in paragraph A8.2 recommends that organisations "ensure that information is given an adequate level of protection, consistent with its importance".

Classification of the company's data in 5 steps:

• Register of assets – once you know what information is processed by your company and employees and what the documents' locations are, it should be collected in the assets register. It should consider the persons responsible for data and the formats in which, for example, paper, electronic documents or storage media are stored.
• The choice of how to categorise information – classification and its possible subcategories will depend on the size of the organisation and many other factors that should be determined individually in each company.
• Classification – the most common form of marking the rank of documents is their degree of confidentiality, which determines who has access to information and who owns it. Sample classification scheme:
  • level I – public and non-confidential
  • level II – within the company, accessible to all employees
  • level II – within the company, but accessible only to selected employees
  • level IV – inside the company, but accessible only to management
• Marking – knowing what documents should be classified into a specific category of information, it is necessary to select and implement a data marking process for the entire organisation, which will be binding for the data owners. It can be, for example, a digit combined with a letter assigned to a specific level of confidentiality.
• Introduction of a data classification policy and education – appropriate data categorisation is a process spread over time and cannot be completed for a simple reason. New documents keep appearing, and employees should know how to handle information, who should have access to it and how it should be protected.

Classifying documents in the organisation seems to be a complicated task. However, considering the entire process, choosing the right strategy and perhaps involving specialists who will help implement the scheme will undoubtedly affect the quality of work and business efficiency of the organisation. The company can more easily secure assets with a data classification system by introducing a DLP solution such as Safetica. It helps to monitor data and data flow continuously, and by tagging, it quickly detects security incidents and protects against leaks outside.