1. Data classification and grading implementation standards
On December 31, 2021, the Secretariat of the National Information Security Standardization Technical Committee issued the "Network Security Standard Practice Guidelines - Guidelines for Network Data Classification and Classification", which provides the principles, framework and methods for data classification and classification.
2. Definition of data classification and classification
Data classification and classification is a professional term in the field of data security governance. It can be seen from the name that this term actually contains two parts:
(1) Data classification
Data classification is the first step in data asset management. Whether it is cataloguing and standardizing data assets, or confirming and managing data, or providing data asset services, effective data classification is the primary task.
Data classification is well understood. It is nothing more than grouping data with the same attributes or characteristics together to form different categories , which is convenient for people to query, identify, manage, protect and use data through categories. Data classification is more from a business perspective or data management perspective, such as: industry dimension, business field dimension, data source dimension, sharing dimension, data open dimension, etc. According to these dimensions, data with the same attributes or characteristics are classified as Certain principles and methods are classified.
(2) Data classification
Data classification is defined according to certain principles and methods according to the sensitivity of the data and the impact on the victim after the data is tampered, destroyed, leaked or illegally used. Data classification is more from the perspective of security compliance requirements and data protection requirements. It seems more appropriate to call him data sensitivity classification. Data classification is essentially the data classification of data sensitive dimensions.
At any time, the classification of data is inseparable from the classification of data. Therefore, in the field of data security governance or data asset management, we put data classification and classification together, collectively referred to as data classification and classification.
3. Principles of data classification and classification
Data classification and grading are based on the idea of data classification management and classification protection, and are divided according to the following principles:
1. Principles of legal compliance:
Data classification and grading should follow relevant laws and regulations and the requirements of the department, and prioritize the identification and management of data with special management requirements of the country or industry to meet the corresponding data security management requirements.
2. Classification multi-dimensional principle:
Data classification has multiple perspectives and dimensions, and can consider data classification from multiple perspectives such as countries, industries, and organizations from the perspective of data management and use.
3. The principle of grading is clear:
The purpose of data classification is to protect data security. Each level of data classification should have clear boundaries, and different levels of data should take different protection measures.
4. On the principle of high strictness:
When grading data, the principle of “higher than lower” is adopted. For example, a data set contains data items of multiple levels, and the data set is graded according to the highest level of data items.
5. Dynamic adjustment principle:
The category level of data may change due to time changes, policy changes, security incidents, changes in sensitivity of different business scenarios, or different relevant industry rules. Therefore, it is necessary to conduct regular review and timely adjustment of data classification and classification.
4. The method of data classification
In order to help enterprises establish an applicable and scientific classification system, you may need to evaluate the entire enterprise data, including the value of the data, the risks of sensitive data, etc. The issues that should be clarified in data classification include:
- Criticality: How important is the data to the day-to-day operations and business of the business?
- Availability: Can the business obtain and access the data it needs in a timely manner, and is the data accessed reliable?
- Sensitivity: What is the potential business impact if data is compromised?
- Integrity: Has the data been lost or tampered with during storage or transmission, and what is the impact on the business?
- Compliance: How long does data need to be archived or retained in accordance with regulations, company policies, regulatory requirements or industry standards?
After a thorough investigation of the organizational data, according to the requirements of data management and use, the classification is carried out from the perspective of business. For example, for a local government, the data is classified as follows:
- According to the application scenarios of government affairs digitalization: economic adjustment data, market supervision data, public service data, social management data, ecological and environmental protection data, etc.
- According to the data source: government department data, enterprise legal person data, population data, etc.
- According to the sharing attributes, it can be divided into: unconditional sharing of data, conditional sharing of data, no sharing of data, etc.
- ...
Different organizations and different business scenarios have different data classification methods. In order to meet different business needs of enterprises, it may be necessary to establish multiple sets of data classification systems.
5. The method of data classification
When companies use data grading processes that are too complex or too arbitrary, data management tends to become increasingly chaotic. Data grading doesn't have to be complicated. In fact, the best data classification practice is to create a 3-4 classification of data according to the degree of sensitivity or impact. Then, add more granular levels based on your organization's specific data, compliance requirements, or other business needs.
By sensitivity level:
| level | Sensitivity | Judgment standard |
| Level 1 | public data | Information that can be obtained and accessed free of charge without limitation or adverse consequences, such as marketing materials, contact information, customer service contracts and price lists |
| level 2 | internal data | Data with low security requirements but not intended to be exposed, such as customer data, sales brochures, and organizational charts. |
| Level 3 | secret data | Sensitive data that, if compromised, could negatively impact operations, including harming the company, its customers, partners, or employees. For example, it includes supplier information, customer information, contract information, employee information and salary information. |
| level 4 | confidential data | Highly sensitive company data, a breach could expose organizations to financial, legal, regulatory and reputational risks. Examples include customer identification information, personal identification and credit card information. |
By degree of impact:
| level | influence level | Judgment standard |
| Level 1 | no effect | After the data is destroyed, there is no impact on the business or the individual |
| level 2 | slight impact | After the data is destroyed, it has an impact on the enterprise or individual, but the scope of the impact is not large, and the losses suffered are controllable |
| Level 3 | Significant influence | After the data is destroyed, the enterprise or individual is affected by important business, economy and reputation |
| level 4 | Serious impact | After the data is destroyed, it not only affects enterprises and individuals, but also brings impact or risk to national security |
6. Data classification and classification technology
There are generally three types of data classification techniques:
- Manual classification : All data classification and classification are done manually, which is also the most commonly used traditional data classification and classification method.
- Automatic classification by the system: Automatic classification and grading of data through technologies such as labeling system, knowledge graph, and artificial intelligence. The technology-driven data classification and classification solution eliminates the risk of human intervention, reduces the cost of manual classification and classification, and at the same time can classify around the clock, increasing the durability of classification and classification.
- Artificial intelligence + artificial intelligence : In many cases, a hybrid approach of human and technology is required for data classification and classification. Human intervention provides context for data classification, while tools and technologies can achieve efficiency and policy execution.