In the era of big data and analytics, organizations are inundated with information, from business critical intellectual property, to routine employee memos. The diversity of this data makes effective management and classification essential to avoid being overwhelmed under a mountain of ones and zeroes.
Data classification is a system of identifying and tagging data so that it can be easily found, protected adequately and retained appropriately. Without it, data management quickly becomes a nightmare that is a burden to manage and a sizeable cost in the event of a compromise, not to mention the storage and backup costs.
Through a careful implementation of a classification system tailored to organization, it can dramatically ease the burden of data management. Once a system is in place it will be much easier to maintain regulatory and legal compliance, reduce storage overhead, increase backup efficiency, improve ease of access to relevant data, and most importantly, identify mission critical information. This breakdown will allow the appropriate level of protection to be applied to each level.
Too often, organizations do not properly backup their critical data, making them susceptible to crippling ransomware attacks. Backup is almost impossible if there is not full awareness of what data can be considered critical. To be successful in this effort, relevant categories must be defined.
The first step in implementing a data classification system is categorization. Typically, these are broken down into general/public, internal/sensitive and confidential/restricted. Roles should be assigned within an organization to determine who will be responsible for establishing what sort of data falls into each category and who is responsible for maintaining them. It is a common pitfall to over-classify data because the costs associated with protecting a larger set than necessary is cost-prohibitive.
During the planning phase of data classification rollout, additional considerations must be made for backup and testing that it actually works. It’s important to understand what the retention requirements are, what sort of protections must be put in place, and if a third party is utilized and if they are compliant with business requirements.
With planning finalized, the next step is a detailed data audit. This is the phase where it becomes readily apparent the task of data classification is LONG overdue with reams of unnecessary clutter to filter through. Once complete, there will be a firm grasp of current data, enabling decisions, to be made regarding the scope of backup management system.
A well thought out data classification system should be easy for the organization to understand, especially how each person contributes, as well as their specific responsibilities. While not the easiest project to execute it is essential absolutely to get data in a place where it can more efficiently accessed and protected.
Best practices include:
- Obtain organizational buy-in and executive backing. If the plan doesn’t have the support of the stakeholders, it will be very difficult to implement and maintain.
- Don’t over-classify data! If it doesn’t meet the requirements set for higher classification, resist the temptation to go further. Remember, if all data is, “special” then none of it is.
- Clear out redundant and unnecessary data. Excess only makes the management process more difficult, not to mention costlier in terms of time and resources.
- Take a hard look at the data deemed to be of the highest sensitivity level. Are providing protections in place while the data is at rest, and are there controls to ensure that unauthorized personnel do not have access?
- Make sure the plan is easy for everyone to understand and the roles are clear. There should be no question as to who is responsible for the various steps.
- Revisit the plan to validate it is still sufficient for organizational needs. As businesses grow and change new obligations under various regulations and laws might be assumed. Often, this occurs when a company decided to store payment card, or medical information onsite as opposed to with third parties.
Factoring these steps from a top-down perspective can help an organization maximize security and compliance resources to ensure that attention is applied to where it should be. Further, sound and repeatable data classification can help an operation run more efficiently and help withstand unexpected data loss and cyber attacks, including the dreaded ransomware