security (ranjith ravindran/


Security depends on data classification

What: A brief on a risk-based cybersecurity approach for state government data, “Better Data Security Through Classification: A Game Plan for Smart Cybersecurity Investments,” from the National Association of State CIOs

Why:  With 48 states having laws on the books related to notifying the public about security breaches and 31 requiring some type of encryption on personal information, data security is a key requirement for virtually all state agencies. By identifying, organizing and classifying data, states can lay the groundwork for risk assessments, according to NASCIO’s Cybersecurity Committee and Data Protection Working Group.

Findings:  To adequately protect data, states must understand what data they possess and take steps to protect it based on its value and level of sensitivity. In the first part of a two-part framework for the identification and classification of a state’s data, NASCIO recommends four categories of data:

  • Critical data is so necessary that in its absence important business cannot continue normally, e.g. property records for county governments or voter registrations for state governments.
  • Sensitive data is that which if obtained by or exposed to the wrong people, the outcome can be harmful to persons, e.g. tax records or bank statements.
  • Protected health information includes personal medical information that could lead to discrimination if it is revealed publicly or to a malicious person.
  • Personally identifiable information is generally information collected by financial and similar institutions which, if compromised, can lead to identity theft, financial harm or both.

States should follow a game plan when classifying their data for risk assessments, NASCIO said.  First, they must ensure data classification is part of their cybersecurity enterprise architecture and has support from top executives.  Second, the initiative needs a surveyor, or someone who can understand the scope of the state’s data resources and work with database managers on classification efforts. Lastly, states should understand what compliance and risk assessment initiatives will benefit from classification.

Takeaway: Data classification allows states to better protect their data by aligning security controls and protections levels according to its value and sensitivity.

More: Read the full brief here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected