What is NIST?
NIST = The National Institute of Standards and Technology is a non-regulatory agency of the United States Department of Commerce. NIST has published a Cyber Security Framework, which is voluntary guidance based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.
To whom does NIST Cyber Security Framework apply?
There is no compliance with the NIST Cyber Security Framework as the framework is meant as voluntary guidance to be leveraged and used as you please. A company can, in other words, comply with the cybersecurity requirements set forth by the NIST framework but not comply. Confusing or not, the NIST cybersecurity framework can be used by anyone to guide how to implement sound cybersecurity practices.
What does NIST say about data classification?
Under Identify -> Asset Management control ID.AM-5 Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value. As data or information is considered an asset, it must be classified to find its criticality and business value.
Where else could data classification be relevant?
ID.RA-1: Asset vulnerabilities are identified and documented. Data classification can help to determine the assets or, in some cases, liabilities that lie hidden in documents. Having all documents classified and labeled according to confidentiality will show the risk that the company is running.
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. To effectively control access to resources and information assets, you must classify the documents according to their confidentiality classification. Only this way can the organization get an overview and restrict access to confidential information.
PR.DS-1: Data-at-rest is protected. Data classification helps safeguard data according to criticality.
PR.DS-2: Data-in-transit is protected. Data classification helps safeguard data according to criticality.
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition. Data classification helps protect data according to criticality and removes confidential information that no longer has any value.
PR.DS-5: Protections against data leaks are implemented. By having the unstructured data classified, you can apply appropriate protection of the critical information and predict data leakage.
PR.IP-6: Data is destroyed according to policy. Data with a high criticality for confidentiality may have a different retention policy to less critical information as it can become a liability. For example, personally identifiable information (PII) needs to be deleted when you no longer have a justifiable reason for keeping it. Having classified your unstructured documents help you identify those documents that you can and should delete.
DE.AE-4: Impact of events is determined. According to confidentiality, having classified your unstructured data will help you get an overview of an event's impacts. The impact is a lot greater if someone gained access to a machine with many confidential documents than a device with only public records.
Summary: Only one subcategory is directly related to data classification. But having classified your unstructured information and documents helps with complying with several other subcategories.
