Since more than 80% of all data created is unstructured, most people have accepted the fact that having some knowledge of what that data is and where it is stored is an essential part of any data security policy. Some form of classification mechanism is therefore essential – it’s proven to reduce security breaches and leading analysts now describe it as a ‘foundational tool’ for data security.
The key question is how to classify. Historically, this has been a choice between either some form of automated tool or getting the user/ creator to do it. CISOs and IT directors have tended to fall fairly and squarely into one of the two camps:
- 1. “I am not going to trust my user to label anything.”
- 2. No automatic tool is going to understand the context of the document like the person that creates it.”
Whilst both approaches have their benefits, they also have their own distinct challenges and compromises. In response to this, Boldon James have developed the concept of Classifier360, so you don’t have to make a binary choice. You can choose it all. Choose a blend of classification approaches that is driven by the needs of your business and can change as your data classification policy and culture matures.
Classifier360 is an Enterprise Classification System that blends together best practice in user-centric and automated classification techniques in the manner most appropriate to your business. The Classifier360 classification techniques include:
- User-Driven Classification – Users are empowered to make business-centric classification decisions
- Recommended Classification – Rules are used to propose a classification to the user, for example based on domain, data type or user group
- Prescribed Classification – Data is automatically classified without user involvement
- User-Endorsed Classification – Supplements any of the other classification techniques by applying classification labels that require additional user endorsement before being regarded as authoritative
Adopting Classifier360 as an approach, the CISO and IT Director retain control by:
- Allowing their users to classify material, but supporting them in their choices by:
- – Offering intelligent defaults, based on attributes of the user or the data itself (where it came from, for example)
- – Tailoring the policy to have intelligent defaults (i.e HR are always internal)
- – Classifying data generated by automated processes at the point of creation without user intervention – for example reports that are produced by an ERP or SAP System
- Ensuring that subject matter experts have authority over specific classification decisions – for example ITAR or export control
- Starting classification projects using predominantly automated classification but then engaging users at a later stage
Engaging and involving the users puts security at the forefront of their minds. It also delivers behavioural information about your users and the way your data is used that can be analysed, allowing the identification of rogue users or compromised credentials.