When it comes to security, all data is not created equal

  • It doesn't pay to protect every piece of data equally.

  • Data can be classified as restricted, private, and public.

  • IT security staff should set security appropriate to each level

All data is not created equal. Some high-value data must be kept confidential, while other data is intended to be shared freely. With that in mind, organizations would benefit from creating specific levels of security protection based on data priority and sensitivity. Doing so can save money while improving overall security and user productivity.

“There are two kinds of big companies in the United States,” says FBI Director James Comey. “There are those who’ve been hacked… and those who don’t know they’ve been hacked.”

But while every enterprise should assume its IT infrastructure is under attack, it doesn’t pay to protect every piece of data equally. Doing so adds cost, and burdens security staff and employees who are simply trying to get their work done.

Carnegie Mellon University differentiates data in three basic classifications and recommends addressing each classification differently and developing specific security levels for each. :

  • Restricted
  • Private
  • Public

At its essence, each data classification requires a level of security appropriate to the data’s importance and its use. Data classified as restricted includes proprietary intellectual property such as trade secrets, customer and prospect lists, customer personal and financial information, and data subject to regulatory restrictions such as HIPAA.

Unauthorized access to these types of data can lead to financial loss, loss of customers, legal action, or all of the above. Only known individuals with proper credentials and a valid need to view the data should have access to it.

For access to data classified as private, a more lenient approach is permissible. This classification is broader than the restricted category, but the data is still considered important to the enterprise. Loss or corruption of private data will still cause negative repercussions.

Private data includes employee work product, communications such as email and voice mail, and other daily work activities. This data should be protected with standard but robust security safeguards.

Public data includes any enterprise data that is intended to be shared openly with the public. Examples include website information, contact information, public financial filings, press releases, and other data subject to disclosure by law.

Your organization’s IT security staff should implement these definitions and set security appropriate to each level. Once security safeguards are in place, each segment of data must be assigned a security classification and added to the protections provided for that level. IT security staff is responsible for monitoring security protocols and tools. They also need to periodically review enterprise data to identify and categorize new data, and to determine whether already classified data should be shifted to a different classification.

What steps have you taken to assign security classifications to your enterprise data?

For more information, go to the AT&T Network Security page.  

Scott Koegler is a technology journalist with a specialization on the intersection of business and technology. AT&T has sponsored this blog post and all opinions are his own.

Scott Koegler Writer Sponsored Post About Scott