Smarter Data Management: Data Classification and File Permissions

Published 1/4/24

The beginning of a new year is an excellent time to clean up and organize your systems and processes. The data stored on your various systems needs to stay out of the hands of hackers, remaining safely within your organization, but there may be more sensitive data that should be protected from general staff access.

How do you sort through this data and start to protect it?

The first step is to create a data classification and handling policy.  This includes categorizing your data, and determining who can access these categories. Written procedures and guidelines for data classification policies should define what categories and criteria your organization will use to classify data. They also specify the roles and responsibilities of employees within the organization regarding data stewardship.

This can be very basic, or quite complex.  If it is too complex you might find that all it does is gather dust.  Shoot for simple but effective.  The process is too complex to fully cover here, but these sites offer some good information to start:

https://www.netwrix.com/data_classification_policy_template.html

https://www.packetlabs.net/posts/data-classification/#:~:text=of%20the%20business.-,Data%20Classification%20Levels,%2C%20Confidential%2C%20Internal%2C%20Public.

  • First, you will need to create classification levels, impact levels, and audience to apply to your data.
  • Next, you will need to audit your current data and apply this policy framework to groups of your data. You then need to apply the correct protections around your data and test it.
  • Lastly, you should set up alerts when internal or external staff access or attempt to access any data that they are restricted from accessing.

When auditing your data do not forget to look at all types, not just files.  This can include databases, email systems, and web content.  With some systems you can apply data loss prevention (DLP) protection and alerting.  You can use this to protect and flag access to data such as social security numbers, addresses, and protected health data

Many embarrassing or financially devastating data breaches have been in the news recently, here is one that covers what happens when the above process fails:

https://slate.com/news-and-politics/2023/04/why-jack-teixeira-had-access-to-so-much-classified-information.html