Whenever a bug report comes in, I subconsciously classify it according to how it impacts the customer’s ability to derive value from the product.
Many software development companies have policies that formalize such classifications, e.g. into critical, high, medium, and low priority.
One can take that very far, like the Common Weakness Scoring System (CWSS) for classifying security vulnerabilities.
Classifications are useful, because they compress a vast set of possibilities into a small set of categories. This makes it easier to decide what to do.
Classification applied to data stored in computer systems is called data classification. There are different reasons for classifying data.
One is to determine appropriate access control policies. It is wasteful to protect all your information at the highest level, so you want to divide up your data into a small number of buckets and take measures that are appropriate for each bucket.
Another important use case of data classification is to drive compliance efforts. If you process health care data, for instance, you may have to comply with the Health Insurance Portability and Accountability Act (HIPAA). This data requires different controls to be put in place than credit card data that is covered by PCI DSS.
Data in the Cloud
Things get more interesting in the cloud.
As a cloud user, you are still subject to the same laws and regulations as before, but now you’ve given away part of the control to your cloud provider. This means you have to make sure that they implement the required controls.
If the regulations you must comply with come with assessments, then those must extend to the cloud provider. Many cloud providers will not allow you to come in and do such assessments yourself, but they may allow assessments from third parties, like TRUSTe for a Safe Harbor assessment.
As a cloud provider, you will want to implement as many controls as possible, to support the maximum number of laws and regulations that your customers must comply with.
Both parties benefit from clear contracts. Part of such a contract may be a Data Protection Agreement that lists the duties of both parties in classifying and properly protecting data to meet security requirements and regulations.
If you’re unsure how to do all of this right, then you may want to look for guidance from the Cloud Security Alliance (CSA).