23 June 2020
Many organisations have limited resources to invest in safeguarding data. Knowing exactly what needs to be protected will help you develop a secure plan so you can allocate your budget and other resources wisely.
The best place to start is by classifying your data. Classification provides a solid foundation for a data security strategy because it helps to identify the data at risk in the IT network, both on premises and in the cloud.
In this article, we will give the data classification definition and explore the steps involved in getting started.
Data classification is the process of organising both structured and unstructured data into categories. It enables more efficient use and protection of critical data, including facilitating risk management, legal discovery, and compliance processes.
For years, it was up to users to classify data they created, sent, modified or otherwise touched. Today, organisations have options for automating classification of new data that users create or collect.
Data discovery is the process of scanning repositories to locate data. It can serve many purposes, such as enterprise content search, data governance, data analysis and visualisation. When combined with data classification, it helps organisations identify repositories that might contain sensitive information so they can make informed decisions about how to properly protect that data.
To safeguard sensitive corporate and customer data adequately, you must know and understand your data. You need to be able to answer the following questions:
Having answers to these questions, along with information about the threat landscape, enables organisations to protect sensitive data by assessing risk levels, planning and implementing appropriate data protection and threat detection measures.
Compliance standards require organisations to protect specific data such as cardholder information (PCI DSS), health records (HIPAA), financial data (SOX) or personal data (GDPR). Data discovery and classification helps to determine where these types of data are located so you can make sure that appropriate security controls are in place and that the data is trackable and searchable as required by regulations.
There is no one-size-fits-all approach to data classification. However, the classification process can be broken down into four key steps, which you can tailor to meet your organisation’s needs as you develop your general data protection strategy.
First, you should define a data classification policy and communicate it to all employees who work with sensitive data. The policy should be short and simple and include the following basic elements:
Now it’s time to apply your classification policies to your existing data. You could choose to classify only new data, but then business-critical or confidential data you already have might be left insufficiently protected.
Rather than trying to manually identify databases, file shares and other systems that might contain sensitive information, consider investing in a data discovery application that will automate the process. Some technology tools report both the volume and potential category of the data.
Each sensitive data asset needs a label in accordance with your data classification model; this will help you enforce your data classification policy.
Once you know what sensitive data you have and its storage locations, you can review your security and privacy policies and procedures to assess whether all data is protected by risk-appropriate measures.
Files are created, copied, moved and deleted every day. Therefore, data classification must be an ongoing process. Proper administration of the data classification process will help ensure that all sensitive data is protected.
Data classification is not a magic wand that ensures data security or compliance with regulatory requirements by itself. Rather, it helps organisations identify the data most critical to the business so they can focus their limited time and financial resources on ensuring appropriate data protection.