If you followed the first four steps in this series (Identify, Discover, Classify and Secure), you’ll have successfully secured the organisation’s valuable and confidential information by using data classification and downstream toolsets to enforce the security policy. It’s not ‘job done’ yet, however.
Legislation, threats (external and internal) and the business itself will constantly evolve, while demands from regulators and the board for better governance will intensify. Ongoing measurement of the effectiveness of your security policy is the only way to check that the controls you’ve put in place remain fit for purpose.
The monitoring of classification activities is a powerful way of doing this. Monitoring and reporting tools track how data is being accessed, used and classified, and provide visibility to the business via structured audit data and analytics.
This improves the chances that a breach will be quickly detected – helping the business to comply with notification periods required by regulators, as well as to minimise damage. If there is a breach, the detailed audit information will allow you to demonstrate that the appropriate steps to protect data were taken.
More importantly, real-time monitoring of how people use classification tools will allow any behaviour that deviates from ‘normal activity’ to be identified and addressed before a breach occurs. This could include flagging up a user who repeatedly labels documents incorrectly, and therefore might represent an insider threat. The clear audit trail of activity also enables compliance with legislation to be measured and demonstrated to government and industry regulators, many of which have strict auditing and reporting requirements.
Ongoing monitoring builds an organisation-wide picture of how effective the security policy is – a picture which can be shared with the board – along with an understanding of how to improve it.
Using a classification reporting tool in conjunction with a security incident and event monitoring (SIEM) solution and a behavioural analysis toolset is the ‘gold standard’ in situational awareness. The combined data makes it possible to forensically analyse an individual’s behaviour to establish the cause, as well as to highlight broad behavioural patterns and trends. If a large number of people regularly under-classify documents, for instance, this may indicate a weakness in the policy or simply show that it’s not properly understood.
This insight will equip you to make informed decisions about how to address the issue: through tightening the security policy, providing further training, or carrying out disciplinary procedures.
Integrating monitoring and reporting capabilities into the data security strategy is the only way an organisation can fully realise the value of its data classification and other security solutions. Measuring effectiveness will provide the intelligence needed to evolve the strategy in line with threats and business changes. It will also give you the information you need to demonstrate value – proving that the solutions purchased are delivering expected benefits and ROI. This assurance will communicate the value of the security organisation, and secure the future investment that will keep the ‘crown jewels’ safely locked up for good.