Thursday, September 1, 2016

Data Classification - Who needs it?

As an information security practitioner, there are times when you look at the security landscape for your organization and think, wow, there are definitely some areas we can improve on.  Many of these areas are not necessarily easy to tackle and execution may even seem impossible!

One thing I had always struggled with when working in banking, was data classification. We did have data classification defined, to an extent, but it was really basic and didn’t allow us to make real decisions on investing in technology and security controls.  The bulk of what we really needed to protect was customer information, but was that good enough?

In banking there is a defined segmentation of data that needs protection – customer data.  Putting forth the minimum required effort from a compliance standpoint is really a shortsighted view of a larger data classification need, because there are so many other groups of data that fit into a grey area.  In this grey area lives large quantities of private information, such as the information that human resources maintains on our employees (salary, health care info, etc.), information relating to mergers and acquisitions, employee lists, schedules, bank access codes, combinations to vaults, minimum cash limits…  The list goes on.

How do we classify the sensitivity of this data? It certainly doesn’t fall into the larger category of customer information, but it definitely needs to be protected from exposure.  What’s more, this inadequacy will start to expose itself when looking at initiatives such as DLP, rights management, DR optimization, justifying spend on technology, and now – cyber-insurance requirements.

Take the time to look at how you are classifying data, what types of data labels you are using, and how data classification feeds into larger initiatives.  You may be surprised at how many areas this touches and how it may help with some of the initiatives listed above.

If you need help understanding how Data Classification can help you, or if you are in need of building out a more comprehensive Data Classification scheme, let me know.

(as posted on LinkedIn)

No comments: