Organizations need a practical data classification policy that provides a foundation for the business to understand and address their sensitive data requirements. Fully addressing the business requirements to protect sensitive data, and overcoming the cultural push-back from the business, is a slow process that begins with the foundation of a basic policy.
Characteristics of an effective, high-level classification policy:
- It is short.
- It separates specific handling requirements from the baseline policy.
- It has no more than three to four classification levels.
- It minimizes labelling requirements.
- It is flexible, not draconian.
- It allows for exceptions and supports decisions that balance protection with business need.
- It allows for individual business units or functions to register their own approved handling guidelines to address unique requirements.
- It avoids references to technology, departments and data types that age.
- It establishes a basis for the business to understand degrees of sensitivity.
The fundamental idea is to provide a policy that will raise awareness in the organization and give business unit managers the ability to make conscious decisions about the protection of sensitive data. A good policy supports the business in making these decisions and does more guiding than mandating. A basic policy can always be extended to cover specific, critical requirements, but it is better to start with a reasonable and appropriate policy. Ordinarily, a policy violation occurs when a document is not properly handled based on its classification. However, policy implementation is so poor in many organizations that the vast majority of data is neither classified, labelled nor properly controlled. In the early stages of implementation, the emphasis should be on business unit response to the policy. Success should be defined as where the policy is reviewed and attested to, and where a plan is devised to address policy — not to strictly adhere to onerous requirements. Clearly, there are limitations to this flexibility under certain circumstances, where specific handling requirements are mandated for select data types. For example, the Payment Card Industry requirements mandate that certain credit card data must be encrypted.