security (ranjith ravindran/


Security depends on data classification

What: A brief on a risk-based cybersecurity approach for state government data, “Better Data Security Through Classification: A Game Plan for Smart Cybersecurity Investments,” from the National Association of State CIOs

Why:  With 48 states having laws on the books related to notifying the public about security breaches and 31 requiring some type of encryption on personal information, data security is a key requirement for virtually all state agencies. By identifying, organizing and classifying data, states can lay the groundwork for risk assessments, according to NASCIO’s Cybersecurity Committee and Data Protection Working Group.

Findings:  To adequately protect data, states must understand what data they possess and take steps to protect it based on its value and level of sensitivity. In the first part of a two-part framework for the identification and classification of a state’s data, NASCIO recommends four categories of data:

  • Critical data is so necessary that in its absence important business cannot continue normally, e.g. property records for county governments or voter registrations for state governments.
  • Sensitive data is that which if obtained by or exposed to the wrong people, the outcome can be harmful to persons, e.g. tax records or bank statements.
  • Protected health information includes personal medical information that could lead to discrimination if it is revealed publicly or to a malicious person.
  • Personally identifiable information is generally information collected by financial and similar institutions which, if compromised, can lead to identity theft, financial harm or both.

States should follow a game plan when classifying their data for risk assessments, NASCIO said.  First, they must ensure data classification is part of their cybersecurity enterprise architecture and has support from top executives.  Second, the initiative needs a surveyor, or someone who can understand the scope of the state’s data resources and work with database managers on classification efforts. Lastly, states should understand what compliance and risk assessment initiatives will benefit from classification.

Takeaway: Data classification allows states to better protect their data by aligning security controls and protections levels according to its value and sensitivity.

More: Read the full brief here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected