Data classification is a term that is not usually associated with the small business. It tends to invoke thoughts of a lot of red tape and inconvenience that small businesses tend to avoid. In reality, some essential elements of data classification can be put in place at a small business with much less cost and effort than you might think.
The first step is to know what you have. Gather a cross-section of the company including persons from different departments and job roles. Brainstorm about the types of data that the company has and create a list. Next, group each of the data types into one of the following categories based on the data types sensitivity and availability. Sensitivity is concerned with the impact disclosure of the data to unauthorized persons would have and availability is concerned with the impact of lack of access to the data.
The simplest mapping would include four areas but I would recommend at least using a high, medium, low model with nine areas at a minimum and more for more complex environments.
- High sensitivity, high availability
- High sensitivity, low availability
- Low sensitivity, high availability
- Low sensitivity, low availability
Now that you have each data type in a category, label the categories and create a policy that outlines the data for each category and how it should be protected and then put together a plan to implement security controls that meet the requirements in the policy.