True North Networks Blog
7 Steps to Effective Data Classification
In today’s security landscape, data protection is not just a legal necessity, it’s critical to organizational survival and profitability.
Storage is cheap, and organizations have become data hoarders. One day — they think — they’ll get around to mining all of that data for something useful. But data hoarding can cause serious issues. Much of what is collected may be redundant, obsolete, trivial (ROT) or unknown (dark), and hasn’t been touched in years.
Storage may be cheap, but it’s not free. Storing massive amounts of data unnecessarily increases costs and more importantly, it puts your organization at risk.
Sensitive information that is stored digitally — including intellectual property, personally identifying information about customers or employees, such as social security numbers, protected health information (PHI) and/or financial account information and credit card details — needs to be properly secured. Your organization is not secure if finding important data is like looking for a needle in a haystack.
Keys to Success
While data classification is the foundation of any effort to ensure sensitive data is handled appropriately, many organizations fail to set the right expectations and approach. This leads implementations to become overly complex and fail to produce practical results.
There are 7 steps to effective data classification:
- Complete a risk assessment of sensitive data. Ensure a clear understanding of the organization’s regulatory and contractual privacy and confidentiality requirements and define your data classification objectives through an interview-based approach that involves key stakeholders, including compliance, legal and business unit leaders.
- Develop a formalized classification policy. Resist the urge to get too granular, as granular classification schemes tend to cause confusion and become unmanageable. Three to four classification categories is reasonable. Solidify employees’ roles and responsibilities. Policies and procedures should be well-defined, aligned with the sensitivity of specific data types, and easily interpreted by employees.
- Categorize the types of data. Determining what types of sensitive data exist within your organization can present challenges. It is an effort that should be organized around business processes and driven by process owners. Consider each business process – tracking the flow of data provides insight to what data needs to be protected, and how it should be protected. Consider the following questions:
- • What customer and partner data does your organization collect?
• What data do you create about them?
• What proprietary data do you create?
• What transactional data do you deal with?
• Of all the collected and created data, what is confidential?
- Discover the location of your data. After establishing the types of data in your organization, it’s important to catalog all of the places data is stored electronically. The flow of data into and out of the organization is a key consideration. How does your organization store and share data internally and externally? Do you use cloud-based services like Dropbox, Box, OneDrive, etc.? What about mobile devices?
Data discovery tools can help generate an inventory of unstructured data and help you understand exactly where your company’s data is stored, regardless of the format or location. These tools also help address difficulties around identifying data owners by providing insights about users who are handling data. In your discovery efforts, you can incorporate key words or specific types or formats of data, such as medical record numbers, social security numbers or credit card numbers.
- Identify and classify data. Only after you know where your data is stored can you identify and then classify it, so it’s appropriately protected. Consider the penalties associated with a loss or breach. For example, what fines can be levied per record for a HIPAA breach involving protected health information? Insight into the potential costs associated with the compromise of a data set will enable you to set expectations for the cost to protect it and which classification level to set.
Commercial classification tools support data classification initiatives by facilitating the determination of appropriate classifications and then applying the classification label either to the metadata of the item or as a watermark. Robust classification systems offer user-driven, system-suggested and automated capabilities:
- • Provision of a menu of tailored data classification options.
• Detection of content within a data item followed by the offering of classification options for selection by the user.
• Automation through which the system selects the appropriate classification based on analysis engines with limited (if any) user input.
- Enable controls. Establish baseline cybersecurity measures and define policy-based controls for each data classification label to ensure the appropriate solutions are in place. High-risk data requires more advanced levels of protection while lower-risk data requires less protection. By understanding where data resides and the organizational value of the data, you can implement appropriate security controls based on associated risks. Classification metadata can be used by data loss prevention (DLP), encryption and other security solutions to determine what information is sensitive and how it should be protected.
- Monitor and maintain. Be prepared to monitor and maintain the organization’s data classification system, making updates as necessary. Classification policies should be dynamic. You need to establish a process for review and update that involves users to encourage adoption and ensure your approach continues to meet the changing needs of the business.
Full data classification is an expensive and cumbersome activity that few companies are equipped to handle. A good retention policy can help whittle down data sets and facilitate your efforts. Start by selecting specific types of data to classify in line with your confidentiality requirements, adding more security for increasingly confidential data.
All Data is Not Created Equal
From the time information is created until it is destroyed, data classification can help your organization ensure it is effectively protected, stored and managed. Putting data classification at the heart of your data protection strategy allows you to reduce risks to sensitive data, enhance decision-making and increase the effectiveness of DLP, encryption and other security controls. By creating a straightforward classification scheme, comprehensively assessing and locating data, and implementing the right solutions, your organization can benefit from a simplified, streamlined way to ensure that sensitive data is handled appropriately and reduce threats to your business.