Data ownership and classification

Page content


Whether you’re installing a new network or shoring up defenses on an existing infrastructure, the first step is planning. Without proper planning, security controls are relegated to the world of afterthought. They’re hooked-on instead of designed-in, resulting in greater cost or weak protection.

Security planning consists of three steps: assigning data owners and data classification, understanding how sensitive information is used, and developing a security strategy and controls design. In this article, we step through the initial planning step: data ownership and classification.

Data Ownership

All data in your organization should have an owner. The owner is responsible for determining how much risk to accept. He or she must make decisions about who will be permitted to access the information and how they will use it.

In small businesses, the business owner might be designated as the owner for all types of information. As organizations grow, ownership is typically distributed. For example, financial data ownership might fall to the vice president of the accounting department. Intellectual property might belong to the head of engineering. In any case, the data owner should understand the sensitivity of the information and his or her responsibilities for protecting it.

Data owners don’t perform these tasks alone. They work closely with information services and security to determine risk levels, current controls, and next steps. Security and information services delivery teams then takes steps to ensure appropriate controls are implemented and managed in the storage, handling, distribution, and regular usage of electronic information.

Another task performed by data owners is data classification.

Data Classification

The kinds of data you’ll handle with the network, and related regulatory constraints, affect the amount of risk you’ll willing to accept. Risk acceptance determines security controls configuration and budget. So, data classification is the necessary first step in planning security.

Today’s data types, as viewed from a security perspective, include:

  • PII or credit information. PII (personally identifiable information) is any combination of personal attributes which criminals could use to assume a person’s identity. Credit information is closely related to PII. It’s information provided as part of a credit application or credit card use.
  • Electronic protected health information (ePHI). ePHI is any electronically stored information about health status, health care, or payment for health care which can be linked to a specific individual.
  • Intellectual property. Creations of the mind which provide the business with its competitive edge are bundled under intellectual property.
  • Financial information. Unless you own or operate a publicly traded company, you probably want to protect financial information. Even publicly traded organizations have certain elements they might not want released.
  • Network access and configuration information. Information about the company’s network is confidential. In the wrong hands, it provides a look at ways to circumvent your security. Sensitive network information includes:
    • IP Addresses
    • Server names
    • Switch or router configurations
    • Account names and passwords
    • Make, model, configuration, and operation system levels of firewalls, routers, switches, and intrusion protection/detection devices
    • Operation system versions and patch levels
  • Public information. Public information is anything you don’t mind giving to anyone on the street

This list is just a start. Each business is unique with additional candidates for confidentiality.

Once the data is identified, classify it. I like to keep it simple. I use three levels of data classification:

  • Restricted data is the most sensitive business information, intended for use strictly within the organization. Its unauthorized disclosure could seriously and adversely impact the company, its customers, its business partners, and its suppliers. I usually classify PII and ePHI as restricted.
  • Confidential applies to less-sensitive business information, intended for use within the organization. Its unauthorized disclosure could adversely impact the company or its customers, suppliers, business partners, or employees.
  • Public information has been approved by management for release to the public.

Restricted and confidential data are collectively referred to as sensitive information. For a better idea of how you might build a policy around data ownership and classification, download a sample data classification and access control policy.

Now that you have data owners and the data is classified, the next planning step is determining how the data is used and stored.

This post is part of the series: A Security Manual for Small/Medium Businesses

A how-to manual for implementing reasonable and appropriate security in small/medium business, using clear, non-technical explanations of how to integrate emerging standards (PCI DSS, HIPAA, etc.) into security spending decisions.

  1. Introduction to SMB Security
  2. Security Planning: Data ownership and classification
  3. Security Planning: Data Storage and Sharing
  4. Security Planning: Regulatory Considerations
  5. Endpoint hardening and defense: Overview of layered security
  6. Protecting desktop computers
  7. Protecting laptop computers
  8. Choose Encryption Wisely
  9. Designing Network Security
  10. Locking Down the Network With Access Controls