Information Security News
Data classification isnt a brand new topic. For a long time, international organizations or military are doing data classification. It can be defined as:
A set of processes and tools to help the organization to know what data are used, how they are protected and what access levels are implemented
Militarys levels are well known: Top Secret, Secret, Confidential, Restricted, Unclassified.
But organizations are free to implement their own scheme and they are deviations. NATO is using: Cosmic Top Secret (CTS), NATO Secret (NS), NATO Confidential (NC) and NATO Restricted (NR). EU institutions are using: EU Top Secret, EU Secret, EU Confidential, EU Restricted. The most important is to have the right classification depending on your business!
Data classification is not only used by IT teams but also by all data, applications or process owners in the organization. The implementation of data classification is definitively not an easy process but will more and more become mandatory, especially in Europe. EU adopted a new regulation called General Data Protection Regulation (GDPR)  that will be effective by May 2018. Its goal is to protect users data. To resume the new rules regarding data:
The last point is critical because according to a study , most companies take over six months to detect data breaches! And data classification help you to better protect your data. The process is based on the following steps:
Dont be fooled, this is a very complex process. Even the first step can be very difficult for many organizations but, once its done, its easy to label any new type of data. We see that more and more products and tools started to take care of privacy and data classification. Two examples: Microsoft launched the Windows Information Protection (for Windows 10 Anniversary Update Office 365 Pro) which includes features to identify different types of information, determine which apps have access to it, and provide the basic controls (example: Copy and Paste restrictions). The open source world also embraces data classification. The latest LibreOffice release provides document classification according to the TSCP standard.
You can also implement a basic data classification at the operating systems level. Modern OS can apply tags"> # touch super-secret.txt# tracker-add -a TLP:RED super-secret.txtTag was added successfully"> # tracker-tag -t -s TLP:REDTags (shown by name): TLP:RED file:///root/super-secret.txt
To conclude this diary, my adviceis to keep in mind that data classification will get more and more focus in the near future. Be ready to kick off such project inside your organization. And you? Did you already implement data classification? Do you have plans? Please share your tips.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant