We’re interested in implementing a data-classification program to lower our compliance costs. We’d like to establish different sets of controls for different data types. However, we’re struggling to define our data-classification levels. How do you recommend structuring the data-classification scheme for a Fortune-500-type company?

In my experience, the most critical factor to the success of an information classification program is simplicity. If your program is difficult to understand or the categories are ill-defined, people simply won’t use it. The bookshelves of security professionals around the world are littered with binders containing information classification plans that never saw practical implementation.

An approach that I’ve seen used many times follows a four-tier classification model that limits the very highest category to a small number of easily recognizable data elements. Here’s a rough outline:

• Highly sensitive data is information requiring an extremely high level of oversight and control due to potential reputational, financial or operational impact if improperly disclosed. This should be limited to a clear list of carefully enumerated elements, such as Social Security numbers, credit card numbers and drivers’ license numbers.
• Sensitive data is information intended for limited use that, if improperly disclosed, could have a serious adverse effect on the organization. This is the “you know it when you see it” category that contains information the organization considers confidential but does not meet the “highly sensitive” bar. For example, this might include plans for the development of new products that have not yet been publicly released.
• Public data, as the name implies, is information that may be freely released to the public without concern for confidentiality. This category includes information that you would publish on your website or hand out at a trade show, such as product brochures, public price lists and basic contact information fro your firm.
• Internal data includes everything else. It’s information that you wouldn’t freely publish on the Internet, but wouldn’t really damage the company if it were accidentally released, such as your internal telephone directory or the ordering list for your supply room.

Once you define your data-classification scheme, you need to appropriately classify all of your organization’s data, and then develop and implement the security standards that specify appropriate handling practices for each category.