In the final instalment of their five part series on The Definitive Guide to Data Classification, Digital Guardian give guidance about how you can set yourself up to succeed and keep your sensitive data safe.
Frameworks to Rule the World
Frameworks sometimes get panned for being too simplistic, but the reason they persist is the 80/20 rule. They may not get you to 100% (if that is even possible given the pace of business), as each company is different, but they give you a place to start your efforts with the guidance needed when it is all new. Forrester Research created a “Data Security & Control Framework” framework to guide you on your data protection journey. Their framework breaks the process of controlling and securing data into three steps: Define, Dissect, Defend. The first step includes data discovery and classification. With the knowledge of what type of sensitive data you have and where it is, you can kick off the Dissect and, ultimately, Defend steps.
Define the Iterative Process
Once your infosec team understands the value that data classification can bring, where do you start? Executive buy-in ensures you get the attention you need. Next you need to document the goals, objectives, and strategic intent behind the classification projects; this plan will help you stay on course. Setting yourself up for success means not biting off more than you can chew; establish a realistic scope with limitations to reduce the likelihood for scope-creep.
Document it All
To be effective, your classification program needs a well-defined policy. This includes the right number of classification categories and clear mapping of your data to those categories. PricewaterhouseCoopers, among many security analysts and consultants, recommends you start with just three categories: Public, Private, and Restricted. Only if those three prove insufficient should you add more categories. Once you have your classification categories established, build a table that includes their definitions, example documents, repercussions if leaked, and the security controls in place for each. This table serves as your classification guideline.
Lay out the Ground Rules
Classifying your data consistently requires a structured approach that eliminates as much guesswork as possible. Forrester suggests evaluating data across three dimensions; ranking it as High, Medium, or Low with regard to Identifiability, Sensitivity, and Scarcity to build your data protection map. Data that ranks low across all three (e.g. a product datasheet) typically falls into the “Public” category. Data that ranks high across all three (e.g. payment card information or intellectual property) typically falls into “Restricted” category. Data that is a mixture of high, medium, and low rankings (e.g. upcoming press releases) typically resides in the “Private” category.
Data classification can give your data security program a boost in accuracy and effectiveness, but you need to follows some simple steps to set yourself up for success. Starting with a framework, following a process, documenting as you go, and applying a consistent approach all put you down the path of keeping your sensitive data successfully protected.
For more tips for data classification success, Digital Guardian have a new comprehensive eBook, The Definitive Guide to Data Classification, which you can download.
Alternatively, contact Boldon James to arrange your free demonstration of our data classification solution, Classifier, and find out how you can transform your data security.