While computer programs exist that can help with data classification, ultimately it is a subjective business and is often best done as a collaborative task that considers business, technical and other points of view. Different departments within an organization all need to be consulted and will have different views on what is, and isn't, sensitive and how it is best protected. An additional aspect to consider is whether a document that is confidential today will remain so for the duration of its life. For example, a public company's financial results will be extremely sensitive prior to announcement, yet, once in the public domain, confidentiality is no longer an issue.
With so many people involved in the decision process, and the constantly changing status of information, it is easy to see what causes delays or even the complete downfall of many data classification projects.
Practical Tips for Implementing a Data Classification Scheme
With these challenges identified, we've outlined some practical approaches to implementing a data classification scheme to help you get started:
Understand what is realistically achievable: If you've ever tried to do everything at once, you'll recognize that inevitably nothing gets done and the same is true with data classification. That said, it is equally true that something is better than nothing. By breaking the project down into smaller, targeted and manageable pieces with regular reviews and implementation targets, you will start to chisel away at the task.
Set the bar at a realistic height: There are varying degrees of discipline and compliance with a data classification project. Unfortunately, not every organization is lucky enough to have a completely disciplined work force so, if there is likely to be resistance, opt for a simpler scheme rather than one that is overly regimented or complex and so likely to cause resistance among users.
Keep your friends close and your enemies closer: Regardless of how rigid or simplistic your control strategy is, it is going to need support from others within the organization if it's to be accepted and embraced. By consulting with key individuals early on in the process, and ensuring they feel part of its design and introduction, the project is less likely to receive hostility during its implementation.
Approve the data classification strategy ASAP: Do this even if full implementation is delayed. First, it costs nothing at this stage. Secondly, any new systems can be designed with data classification in mind, narrowing the implementation burden to existing systems. Finally, if confidential information is inadvertently disclosed, the security program can point to the classification strategy and push accountability to the line of business managers that have not yet implemented it.
Use regulation to argue your case: Increased legislation is one of the most effective tools that can be used by a security program. Reference these regulations to bring awareness of the need for data classification and give the security program the necessary muscle and support to get implemented.
Classify networks instead of data: For organizations where classification of data appears to be an unreachable goal, try classifying the networks instead of the data. Whilst network classification is not a trivial exercise, it is often easier than the implementation of a comprehensive data classification scheme for data that is digitally stored in large organizations.
Something is better than nothing: While you're going through the process of identifying your sensitive data and how best to protect it, it will quickly become clear if you have sensitive data that needs protecting. A comprehensive endpoint data encryption solution, protecting data where it resides on laptops, desktops, smartphones and the now ubiquitous USB thumb drives, is an important tool that can be rolled out across the organization, even before a data classification project is completed, and can then be utilized moving forwards. However, be warned, not all encryption solutions offer the same protection.
Can be rolled out, managed and maintained centrally
Is user specific, not device-dependent, so that even if a PC is shared, the users data isn't
Will be enforced so users cannot circumnavigate its use
Covers all forms of data regardless of the program in which it is created-the network where it resides or the device it is carried on
Should not impede the device's performance
There is no shortcut to faster data classification but there are solid arguments for why it should be undertaken-correctly. While it is true that information can't be adequately protected if there's no way of tracking its location, value and sensitivity to leakage equally while it's waiting to be rated, it is vulnerable to exploitation. If you know you've got valuables somewhere in the building, you install an alarm system and make sure entry and exit points are secured-shouldn't you at least do the same for your data?