By identifying, organizing and classifying data, states can lay the groundwork for reducing the number of possible breaches, NASCIO finds.
What: A brief on a risk-based cybersecurity approach for state government data, “Better Data Security Through Classification: A Game Plan for Smart Cybersecurity Investments,” from the National Association of State CIOs
Why: With 48 states having laws on the books related to notifying the public about security breaches and 31 requiring some type of encryption on personal information, data security is a key requirement for virtually all state agencies. By identifying, organizing and classifying data, states can lay the groundwork for risk assessments, according to NASCIO’s Cybersecurity Committee and Data Protection Working Group.
Findings: To adequately protect data, states must understand what data they possess and take steps to protect it based on its value and level of sensitivity. In the first part of a two-part framework for the identification and classification of a state’s data, NASCIO recommends four categories of data:
- Critical data is so necessary that in its absence important business cannot continue normally, e.g. property records for county governments or voter registrations for state governments.
- Sensitive data is that which if obtained by or exposed to the wrong people, the outcome can be harmful to persons, e.g. tax records or bank statements.
- Protected health information includes personal medical information that could lead to discrimination if it is revealed publicly or to a malicious person.
- Personally identifiable information is generally information collected by financial and similar institutions which, if compromised, can lead to identity theft, financial harm or both.
States should follow a game plan when classifying their data for risk assessments, NASCIO said. First, they must ensure data classification is part of their cybersecurity enterprise architecture and has support from top executives. Second, the initiative needs a surveyor, or someone who can understand the scope of the state’s data resources and work with database managers on classification efforts. Lastly, states should understand what compliance and risk assessment initiatives will benefit from classification.
Takeaway: Data classification allows states to better protect their data by aligning security controls and protections levels according to its value and sensitivity.
More: Read the full brief here.
NEXT STORY: Lean, mean cyber secure machines