Today’s society that we live in is data driven where data is omnipresent and access to everything from everywhere is not impossible. Data is free-flowing beyond virtual boundaries through websites, messages, social media, file shares, apps and cloud collaborating things. However, understanding what type of data and where this data reside, along with proper data classification, will allow organizations to set appropriate levels of protection.
Understanding and knowing the information which an organization holds is the foundation of information security. Many security professionals overlook this and quickly zoom into implementing technical safeguard measures like access control mechanism or data encryption. Data discovery and classification are two essentials required for data protection. This article is a deep dive into data discovery and classification.
Data Discovery & Classification
Appropriate policies and procedures to protect data can be put in place only if you know what data you have, why you have and where it is. Hence, defining the data within an organization becomes an imperative step. There are two important functions that every organization must do to help themselves know their data:
1. Identification of data and its location – Manual discovery of all data (structured and unstructured) and its location within an organization’s ambit is a time-consuming and often error-prone process. The quick possible solution to this problem is data discovery tools. Data discovery tools are available from various vendors. TCS can help enterprises to identify all structured and unstructured personal/sensitive information and its location within an organization with the right choice of data discovery tool.¬
2. Classifying the data and determining how data is handled – Classifying the organization’s data is the spine of information security. Without classifying data, it would become impossible to know what need to be protected. The creation of attributes for data, which adds enormous value to data, is enabled by classifying data. These attributes help organizations to make decisions on what data needs to be protected and how to handle it appropriately. There are tools available in the market for data classification which parses structured and unstructured data based on predefined patterns and classify them. TCS can enable organizations to create a data classification policy and classify all organizational data according to the policy.
Data Classification is Not An Easy Game to Win
Classifying data is a real hard task because it is not only instinctive but also non-intuitive. For an effective data classification, each piece of information has to be properly classified and maintained. If the classification scheme is intricate, it will find no value. In practice for any organization, it is always better to have a simple data classification scheme which can be understood easily by all resources and implemented effectively throughout the landscape. Ultimately, a data classification model that is "too simple" is superior to one that is "too complex.”
Another show stopper is the dynamic nature of data within the organization’s landscape. Generally, data is classified at the time of its creation or based on where it’s stored within the organization’s landscape. Information happens to reside in different states such as in use or archived, and/or have different value at different points in time. Hence, information needs to be reclassified on a periodic basis to keep an up-to-date classification.
Simplifying Data Classification
Data classification isn't necessarily a complex process, provided it’s well planned. The driving force of an organization’s data classification activity should not only come from IT functions but also from the business needs and risk tolerance of the organization. Discussions with appropriate business, IT and corporate stakeholders are necessary to understand "What do we want to achieve?" is a key thing to happen.
An organization can have a simple yet effective data classification program if their methodology covers the following activities:
- Create and maintain an inventory of all information assets
- Explicate a data classification policy
- Define data protection level for information assets
- Define an asset (since. information assets) classification criteria
- Develop information handling and labeling procedures
- Assign responsibility for classification to the data owner
- Classify data based on its sensitivity
- Implement information handling and labeling procedures
- Apply the classification to documents, records, data files, and disks.
- Integrate into security awareness and training program
The data classification process goes far beyond classifying data and making it easier to find. Data classification enables enterprises and organizations with a clear picture of the data within the organization’s control. Once implemented, data classification provides a data management framework that facilitates adequate data protection measures and increased compliance for security policies.
Authored By - Sukiraman Manivannan
TCS Enterprise Security and Risk Management
TCS Enterprise Security and Risk Management
Rate this article: