Data Classification and Governance, Risk and Compliance

Employee round-table discussion
Reading Time: 2 minutes

I recently spoke at the London ISACA EuroCACS/ISRM conference and found it very refreshing that the majority of delegates from the Governance, Risk and Compliance (GRC) community understand the value of Data Classification. The audience was a mix of senior GRC and information security professionals from a wide range of industry sectors all over EMEA. Data Classification certainly seems to be high on the agenda for many organisations – conversations at our stand focused on topics such as implementation and the impact of Data Classification on Archiving, Document Management, BYOD, Access Control and Rights Management solutions. Many organisations were looking at ISO27001, with its explicit requirement for Data Classification, and the challenge of dealing with the historical mountain of unstructured data in their Email and SharePoint systems.

Our Data Classification & Big Data presentation was standing room only and a great debate ensued about the difficulties of implementing RMS and how, with some simple awareness training, users could label emails and documents, those labels would drive the decision to invoke RMS and thereby remove the need to train on or explain RMS to users.

Another area for discussion was the volume of data many organisations have residing in SharePoint sites, with no information on what is in there or it’s sensitivity. The main problem seemed to be that as staff moved on or were promoted, many SharePoint folders became ‘orphaned’ and some were recreated, doubling the data loss exposure and the storage requirement. It was seen as difficult to set any sensible access control rules without some level of data classification. These problems were exacerbated when companies regularly interoperated with other organisations or dealt with ITAR or Export Controlled information.

There was a clear dividing line between those organisations who were allowing unfettered use of employee’s own devices (BYOD) and those that were restricting staff to specific methods of operation. Everyone agreed that before making the decision about what data can reside where, you need to understand the value of the data to your organisation.

One interesting point was that the potential fines imposed by regulators were not seen as the main driver for using Data Classification to reduce data loss. Instead, the main motivation was the long-term reputational damage caused by having to inform customers and partners alike that you had fallen short of their expectations and the associated costs of correcting matters.

We were excited by the interest in Data Classification and Classifier and are looking forward to the next ISACA event in Las Vegas on 6-8 November.