Every financial institution should have a data classification policy that defines classes of data based on risk. The policy should also define how each class of data is handled throughout its life, including how it is stored, accessed, transmitted and disposed. This week we will provide some tips on how to create a data classification policy.
- Keep Classification Simple: Remember that you will want your employees to remember what the classifications are, so you want to make sure they are clear and simple. We recommend trying to stick with three classes of data and naming these classes descriptively. At the lowest classification you will have data that can be shared publicly with no risk, so use “public” as the name of this classification to make this clear. At the other end of the spectrum is the “confidential” classification; data (including customer information) that should never be shared without permission because disclosure can put the existence of the institution at risk. Between those two extremes, you can use “internal” for internal data that can be shared by employees with others as part of doing business.
- Define Storage Policies: For each classification, define a storage policy that describes how the data must be protected while being stored electronically or in paper form. Common policy statements regarding storage of confidential data are that only those with a need to access the data will be given permission to it; that all confidential data must be encrypted at rest; and that all paper copies of confidential data will be kept in a secure location. Make sure that the storage policy includes encryption and storage location of server backup media.
- Define Sharing Policies: You should define how data can be shared at each classification level. Be sure to clearly define who needs to approve the sharing of confidential data. Also make it clear that you state that any shared confidential data needs to be encrypted while being transmitted.
- Define Retention Policies: You should have and enforce a retention policy for each data classification to ensure that the amount of data that needs to be protected is manageable and that stale data will not be exposed if a breach does occur. Be sure to consider all applicable laws when defining these retention policies, as there may be some types of data that need to be retained for an extended period of time or even indefinitely.
- Define Disposal Policies: Be sure that your data classification policy defines how data needs to be disposed at each level. The policy needs to state that confidential data be securely disposed by shredding paper or physically destroying media to make it unreadable.