Gerard Curtin, CEO, PixAlert

DATA CLASSIFICATION

A Common Sense Approach To Risk Management

Information within an enterprise has experienced rapid growth in volume, variety and velocity and organisations face constant pressure to provide faster access at any time, from any location and from any device. However, not all information has the same value to the organization – and therefore different classes of information represent different risks with respect to confidentiality, integrity and availability. Classifying or segmenting enterprise information helps to ensure not only that the appropriate levels of policies, controls and resources are in place, but also that these investments are delivering an appropriate level of value to the business in return.

This is according to a recent Analyst Insight report from Aberdeen Group which outlines the benefits to classifying data in order to effectively protect it. The report, titled Does Your Enterprise Classify Its Data analyzes over five years of data loss prevention (DLP) research by Aberdeen, and concludes that data classification is a capability that is consistently linked with the best performing organisations in the area of data loss prevention.

Aberdeen’s research has consistently shown that there are several general steps which are associated with top performance when it comes to protecting sensitive enterprise data’ according to Aberdeen’s Vice President and Research Fellow, Derek Brink. ‘These include identification and classification of your data – because you can’t protect what you don’t manage, and you can’t manage what you don’t know about.’

Success Steps for Safeguarding Sensitive Enterprise Data:

Over the last five years, Aberdeen research has consistently shown that the following steps are among those correlated with top performance at safeguarding sensitive enterprise data:

  • Identify and classify your data – you can’t protect what you don’t manage, you can’t manage what you don’t know about.
  • Prioritise security control objectives - as a function of risk, audit and compliance requirements
  • Establish consistent policies - as part of an overall approach to safeguarding sensitive data – both data at rest and in motion across the network

Users are responsible for their own data, and are educated on corporate policy while they work. Aberdeen’s research reiterates this by noting that end-user involvement is a critical component of a successful data loss prevention initiative.

When it comes to their data loss prevention initiatives, Aberdeen’s latest research has shown that the top performers tend to be pragmatists about getting started. For example, they may not devote a great deal of energy to identifying and discovering all of the data throughout their entire enterprise, because in many cases they already know where a great deal of their most sensitive data is – such as their centralized file shares, which are popping up throughout the enterprise in support of increased collaboration.

Similarly, classification of all their data is not necessarily a prerequisite to getting started. Often the most pressing business requirement may be monitoring and filtering with the objective of addressing requirements for regulatory compliance (e.g., PCI DSS for the protection of payment card data, or HIPAA for the protection of patient medical records). For others, it may be the unstructured data (e.g., documents, diagrams, spreadsheets, product designs) that comprises an organisation’s intellectual property. In any case, it may not always be practical or worthwhile to invest limited IT resources looking backwards through many years of historical records to achieve 100% classification.

For these and other reasons, taking a common-sense approach to the risk management equation generally makes sense: focus your initial efforts where the value of the information, the probability of occurrence of data loss or data exposure, and the total financial impact of each potential occurrence are most high, and expand the initiative over time.

In five separate studies on data loss prevention conducted over five consecutive years, Aberdeen’s research has shown that data classification is a capability which is consistently correlated with the achievement of top performance. Compared to the lagging performers, the leading performers in each study are between 1.5-times to 3-times more likely to indicate that data classification is a current capability. For full details on the Aberdeen Group Analyst Insight Does Your Enterprise Classify Its Data? (January 2012).

About PixAlert

PixAlert’s Data Classification Solution helps businesses to discover sensitive information and apply client specific classification controls which enable data to be appropriately stored, handled and secured in accordance with business value and sensitivity requirements. PixAlert’s Data Audit Solutions help to reduce risk, maintain compliance and safeguard corporate reputation through proven market leading data discovery technologies www.pixalert.com

Article References:

Aberdeen Group Analyst Insight - Does Your Enterprise Classify Its Data