FINAL WORD
Why data classification should
drive your security strategy
If you haven’t identified what data is sensitive to your
business, where it resides and how it’s being used, how can
you hope to protect it? Thomas Fischer, Threat Researcher
and Global Security Advocate at Digital Guardian, discusses
why getting to grips with data should be the first step in any
effective security strategy.
T
here are two types of businesses
in the world today: those that run
on data and those that will run on
data. As a result, data security now sits
at the top of nearly every organisation’s
priority list. But with such a high volume
coming into most businesses every day,
how can InfoSec professionals quickly
identify which is the highest priority for
protection? After all, security costs time
and money, and not all types of data are as
sensitive or vulnerable as others.
Leading analyst firms Gartner and
Forrester both say that data classification
is foundational to an effective data
security programme. Organisations cannot
efficiently protect their growing pool
of data without a better understanding
of what they have and where it is.
For channel partners, providing data
classification to clients provides a
prioritised list of their data assets and
enables them to focus the controls on
the most important data. This is an
essential piece of an organisation’s data
security strategy. For compliance-oriented
applications, data classification allows
compliance teams to understand how
regulated data is moving, and where it
may be at risk. Better understanding of
how the data is being protected leads to
more accurate data protection and reduced
overheads for InfoSec teams, enabling
faster time to value for your clients.
64
What is data classification?
Data classification is a process of
consistently categorising data based on
specific and predefined criteria so that it
can be efficiently and effectively protected.
In addition to simplifying security
strategies, it can greatly assist companies
in meeting governance, compliance or
regulation mandates such as the Payment
Card Industry Data Security Standard
(PCI DSS), as well as protecting important
intellectual property.
How can businesses
implement an effective
classification strategy?
Data classification is not a one-size-fits-all
approach. Every business has different
needs to address, so a strategy must
be tailored accordingly. However, the
following five-point action plan can be used
to create the foundation of an effective
strategy for nearly any business.
1) Define a data
classification policy
What are the goals, objectives and strategic
intent? Make sure users are aware and
understand why it’s being put in place. An
effective data policy must also balance the
confidentiality and privacy of employees/
users against the integrity and availability
of the data being protected. A policy that’s
too stringent can alienate staff and impede
Thomas Fischer, Threat Researcher and Global
Security Advocate at Digital Guardian.
their ability to carry out their jobs, but if
it’s too lax, the very data the business is
trying to protect could be at risk.
Organisations
cannot
efficiently
protect their
growing pool
of data without
a better
understanding
of what they
have, and
where it is.
ssue 08
NTELLIGENT TECH CHANNELS