Data Classification
Sun, 30 Sep 2018 || By Kevin Iskandar Putra

The outreaching effect of digitalization in our daily life enables us to meet a potential realization of maximizing the use of digital technology to classify and store data in our cloud. Read these critical questions below to find more about the urgency of data classification!

 

How could data classification benefit the users?

To begin with, data classification presents users – ranging from the government institution, private companies, industries, and other organizations with the tool to label, store, and dispose their data according to their needs. Classification is essential to decide services and technology to operate the data being stored. The CIA concept of Confidentiality, Integrity and Availability in data storing is adopted in data classification. Confidentiality deals with how authentic the data is, and who is authorized in accessing the sensitive data[1]. ‘Integrity' encompasses data content which needs to be consistent and accurate, whereas its ‘availability' indicates the need for foolproof storage, storage type and provisions for disaster recovery and a backup plan. While it is true that data classification could prevent potential loss of data breach by adversaries, issues pertaining to its regulations and reliability still pose a major challenge.

 

What methods or categories do we use to classify data?

Protecting all data and every bits of it sounds very idealistic. Many IT scholars and practitioners working in the cyber security field would agree with that. However, we might be able to achieve the goal to protect our data with data classification. To classify data, an organization will ideally adopt a risk-based security approach, deciding what to prioritize first. In order to maximize its usage, data classification needs to have a balance between risk, cost and convenience. Generally, data will be categorized as public-use, confidential or restricted, and sometimes a hybrid between these two. This method features a way of grouping objects based on the value, sensitivity or criticality to the organization.

 

How does the Indonesian Government regulate data classification?

The Indonesian Government Regulation No. 82 Year 2012 about “Electronic System and Transaction Operation (PP PSTE)” lays down the legal provisions on the requirement to conduct data classification for government and organization. Despite the establishment of this regulation, Indonesia is yet to have a robust legal basis on data classification. As a burden of proof, regulations such as UU No. 11 Year 2018 as well as UU 19 Year 2016 and its derivatives, do not explicitly define what constitutes as ‘data'[2]. A reference is always made to the Electronic Information and Transactions (ITE) Law that ‘electronic data’ is the part of ‘electronic information’, such as texts, audio, pictures, designs, photos, and telegrams. According to the risk associated with the disclosure, Indonesian National Archive No. 2 Year 2014 categorizes data as top secret, confidential, restricted, and open for public.

 

What can we reflect from Indonesia’s experience in regulating the classification of data?

According to the PP PSTE, the instruction to place the database and disaster recovery center in Indonesia does not include a specific reference of the data needed for protection. Information System established by the Ministry of Communication and Information has yet to elaborate their categories of Strategic Information System, High Information System, and Low Information System.

data classification

The leakage of any information categorized in the Strategic Information System would endanger the survival of the country, as it includes intelligence data, food security and safety, identity numbers and family numbers[3]. The lower risk category could implement the ‘outsourcing’ of the open-for-public data. Whereas, the low-risk strategic information is allowed to be stored anywhere. In the similar vein, user sensitive data, or the high-information system is not as necessary to be stored in the Indonesian database for privacy purpose.

Drawing from the ideas presented above, it becomes evident that we need to establish a clear provision regarding data classification in government regulations. Data classification is very crucial in determining effort, money and resources to allocate in protecting data and controlling the access to it. Thus, a proper categorization is imperative to serve the basis of the initial baseline set of security controls. 

Improving the competency of the Information and Technology institution would be necessary to strengthen to anticipate internal cracking. These efforts, put together, will help to prevent data breach of critical national infrastructures that could put the nation at stake.

What next? In data classification, Indonesia should establish a comprehensive procedure in securing specific information for each sector, for example: in education, healthcare, and social services. Learning from Connecticut, one US Federal State, that is very advanced in classifying information, we should set up our law enforcement on a firm basis. Similar reference to a specific regulation could help to solve any potential breach, for example, in Connecticut's case, by referring to the NIST SP 800-60 Vol II, which regulates the procedures for criminal arrest in one of the 26 Government’s vital sectors[4]. If Indonesia can adopt a similar method, we can optimize the effort to secure classified data.

Editor: Lia Wulandari & Treviliana Eka Putri

Read another article written by Kevin Iskandar Putra or article about Data.


[1] Shaikh, R. and Sasikumar, M. (2015). Data Classification for Achieving Security in Cloud Computing. Procedia Computer Science, 45, pp.493-498.

[2] Hasyim, A. (2018). Kominfo: Rencana Perubahan PP PSPTE (PP 82/2012). [online] ACCI. Available at: https://www.acci.or.id/presentation/kominfo-rencana-perubahan-pp-pste-pp-82-2012. [Accessed 17 September 2018].

[3] Ayuwuragil, K. (2017). Rincian Klasifikasi Data yang Wajib Ditaruh di Indonesia. [online] CNN Indonesia. Available at: https://www.cnnindonesia.com/teknologi/20171123171708-185-257662/rincian-klasifikasi-data-yang-wajib-ditaruh-di-indonesia [Accessed 17 September 2018].

[4] NIST. (2008). Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories. NIST Special Publication 800-60 Volume I Revision 1, 1(1).