0

When classifying data sensitivity I generally run into a few standard categories such as:

  • Public
  • Internal
  • Confidential
  • Restricted

Which do generally cover the sensitivity levels but don't make it necessarily easier to categorize the data. I'm generally really struggling with how data sensitivity regards towards the accessibility of the data.

I can imagine plenty of scenario's where having access to certain data is not considered a problem when the data needs to gathered by physical access to a device, but would be a problem if the same data could be gathered easily over distance or in large numbers.

Currently I'm looking for a way to classify data taking these items into account, but can't find standardized ways to do this while I can not imagine this is a rare scenario.

Are there any proper ways to asses this problem or do I have to look towards custom matrixes linking base sensitivity against accessibility?

Light44
  • 113
  • 3
  • Why are you linking the qualities of the data with how the data is accessed? That's comparing apples and delivery trucks. – schroeder Feb 24 '22 at 16:09
  • @schroeder clear, I am mixing things I shouldn't be mixing which is data classification with data value (as in how valuable can data be in the hands of company or a unknown 3rth party) Any pointers where I could look at? – Light44 Feb 25 '22 at 09:38

2 Answers2

2

You classify the qualities of the data in terms of its impact (negative and positive) to the company or the people affected. For example, financial data is crucial to the operation of the company and potentially devastating if exposed to the public. Unless you are a Public Sector organisation where your financials are public anyway ...

So, you can start determining whether the data should be protected from various events:

  • disclosure
  • disruption
  • destruction
  • distortion

You then create classifications that limit the potential for each of those things. Can everyone read the data but not change it? Should only a select group of people even know that the data exists? Who needs to process and change the data? Who needs to add to, but not read or change existing data? etc.

Add to this the 3rd party, legal, and regulatory requirements for data handling. Personal data comes with quite a lot of pre-determined classifications.

The broader and clearer the classifications are, the easier it is for people to apply and comply with the classifications. So don't get fancy with all the levels of classification.

As a separate exercise, you can risk-assess how the data is used, processed, accessed, and shared as a normal part of operation. You might need to "expose" the data more than your classification allows in order to facilitate basic functions. So then you start to define the classification of the data processing systems and what data is allowed in those systems.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank you, this is definitely helpful and will keep this all in mind. One of the problems I'm facing is that I'm in a sector where things are currently rapidly changing by adding a lot of devices to the internet, making data that was rather difficult to access suddenly easily available. Service information where it doesn't matter if anyone sees 1 specific case, but when service information of all machines is pubic accessible it changes a lot, how do you classify these kind of items? – Light44 Feb 25 '22 at 10:20
  • What is the impact of seeing all that data? – schroeder Feb 25 '22 at 10:44
  • We are talking run time, configuration, configured licenses on certain functionality and all that. Things that might translate to sale numbers or how and how often users are using machinery. Could be very useful for our marketing, could imagine it is not something that should be freely shared with competitors. This kind of data generally starts being useful when getting acces to high numbers. – Light44 Feb 25 '22 at 17:31
0

From my experience, classification is either imposed by contracts or the law. Data gets the less restrictive classification possible. The ease of access and the volume of data is irrelevant to this classification.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • That's fair, then I suppose I am mixing things I shouldn't be mixing. What I a looking for is not necessarily the legal binding items, but more how useful/valuable the data can be for the company or an unknown 3th party. – Light44 Feb 25 '22 at 09:35