DATA CLASSIFICATION – Protecting the Crown Jewels

If you know you’ve got valuables, you install an alarm system and ensure that entry and exit points are fully secure – shouldn’t you at least do the same for your data?

Increasingly, data classification is being deployed as an effective means to help address risks and enable compliance. An enterprise that implements an efficient data classification programme can understand what data they have, recognise its importance and make informed decisions about how it should be managed, handled and stored. This allows companies to realise a range of benefits that can save time and resources while reducing legal vulnerabilities associated with data leakage.

Data classification serves the need for compliance and risk management requirements as critical data can be identified and protected to meet compliance audits or legal discovery tasks. Another important benefit is in cost savings as the process enables less important data to be migrated or deleted from network storage. By identifying data that will benefit most from classification and by moving it to a location that provides the best storage performance for indexing tasks it helps distinguish mission-critical information and focus on procedures for securing that essential data.

The process essentially assigns a level of sensitivity to data used by an organisation allowing companies to organise their information in a way that corresponds to their specific business needs and values. While classification systems vary depending on user’s requirements, most apply levels corresponding to the following definitions: secret, confidential, restricted (or sensitive) and unclassified.

Management must often spearhead the classification effort with input from every department as data classification is not solely an IT function. While applications exist that can help with data classification ultimately it is a subjective business and is often best done as a collaborative task that considers business, technical and other perspectives.

Justifying a Data Classification Initiative

• Understand what is realistically achievable: break the project down into smaller, targeted and manageable pieces with regular reviews and implementation goals.
• Set the bar at a realistic height: if there is likely to be resistance within an organisation, opt for a simpler scheme rather than one that is overly complex and so likely to cause resistance among users.
• Approve a data classification strategy: enforce the strategy even if full implementation is delayed. Therefore if confidential information is inadvertently disclosed, the security program can point to the classification strategy and push accountability to the line of business managers that have not yet implemented it.
• Use regulation to push the business case: increased legislation is one of the most effective drivers that can be used by a security program. Reference these regulations to bring awareness of the need for data classification and give the security program the necessary support to get implemented.

Enterprise data cannot be adequately protected if there's no way of tracking its location, value and sensitivity and therefore business needs and risk tolerance should be the driving forces behind data classification initiatives. It has been suggested that data classification offers more benefit to larger companies with adequate resources and expertise to manage such an undertaking. However, even small companies can benefit from data classification if they deal with compliance needs and government regulatory requirements.

Benefits of Data Classification Programme

• Helps management prioritise levels of controls required for data protection - having a data classification program in place that includes appropriate levels of controls for various classification levels, helps leadership make more effective investment decisions to meet internal and external control expectations.
• Align and rationalise controls–establish controlled practice through defined levels of protection for information assets that manage data accessibility and ownership through a clear user policy framework.
• Reduce costs associated with less sensitive data - frequently when data classification is developed, organisations realise that they are not only UNDER controlling their most sensitive data, but often wasting resources OVER controlling less sensitive data. The process helps to optimise storage resources by eliminating data with no value.
• Improve enterprise security environment –ensuring that data is utilized into consistent and timely business information aligned to business priorities and management of data assets

There is no fast-track to data classification but there are solid arguments for why it should be undertaken properly using a manageable, automated and client specific procedure. The raison d’être for implementing a classification initiative should be driven through the strategic benefits in prioritising and optimising the value of the information that organisations hold, access, and manage. In making this leap of faith, an organisation will begin to reap the lasting benefits of data classification as a strategic and necessary data security control.

About PixAlert

PixAlert deploy world-class scalable enterprise content audit solutions which help organisations to discover where unsecured, unstructured sensitive information and inappropriate images reside on corporate networks and email correspondence. PixAlert’s Data Classification Solution helps businesses to discover sensitive information and then apply client specific classification controls which enable data to be appropriately stored, handled and secured in accordance with business value and sensitivity requirements. PixAlert’s data solutions assist to reduce risk, maintain compliance and safeguard corporate reputation through proven market leading data discovery technologies www.pixalert.com

Author: Gerard Curtin, CEO, PixAlert - March 2012

Article References:

Tech Target.com 

CTO Edge

Mark Brooks