Key Points:
– Objective of Data Classification is to ensure level of security commensurate with the level of risk associated with the asset
– Identify information assets
– Classify data based on potential business impact and obligations (Law, Regulations and Rules).
– Maintain a Data Classification Inventory
– Governance Routine
Introduction
As this blog was created to help organizations which lack dedicated information security professional to run their information security program, we have decided our very first article to focus on one of the most foundational information security requirements – Information Asset Inventory and Data Classification.
Objective and Challenges
An organization needs to create an information asset inventory as it needs to understand the information assets which needs to be protected. Data Classification is performed against the information assets identified to ensure the organization has a consistent understanding of how each asset should be protected.
While the concept sounds simple, many organizations fail due to:
– Data Owner not having full visibility of the information assets within their business unit.
– Definition of data classification (e.g. Confidential, Proprietary and Public) too vague for the Data Owner to assign classification.
– Lack of Accountability by the Data Owner and Control Partners – Information Security, Compliance, Legal Department et al.
– Lack of guidance, processes and tools by the Information Security team.
Suggestions
1. Ensure Key Stakeholders support and understand how this effort benefits the organization. Benefits may be:
– Consistent handling of the information asset.
For example, HR (Data Owner) may requires employees to treat Employee Performance Review data to be treated as Confidential. Managers and Employees must not assume the data classification and must have means to find out how HR classified the data.
– Understand risk associated with each information asset.
While all information assets would require appropriate level of data confidentiality, integrity and availability, Social Security Number would have emphasis on confidentiality and Payment Instruction would have more emphasis on data integrity.
– Risk / Reward
With finite resource (people, technology and budget), organization must ensure it’s information security program focus on their highest risk assets.
2. Provide guidance, process and tools which would enable the Data Owner to identify and classify the information assets in a consistent manner. Ensure the process can be performed consistently and sustainable. Perform a pilot with a small number of data owners. Ensure data classification are not data owner’s personal opinion and ensure governance process to validate with Control Partners.
3. Accept the process would be iterative and initially focus on information assets which intuitively require information security protection (e.g. SSN, salary / compensation, intellectual property) and have specific control mandate through Law, Regulations and Rules (e.g. Personal Information, Information wall).
Information Asset Inventory
Key Field
– Organization / Region
– Data Owner
– Data Element / Detail
– Data Classification / Rationale
– Change over time
– Law, Rules and Regulations
– Exceptions
– Structured Data / Pattern
– Data Loss Prevention threshold
– Last Review Date
I think more and more asset identification and tracking as well as data classification will need to become fully automated. As stated, businesses clearly fail repeatedly when it comes to asset management and you cannot manage and protect what you do not understand. The trend toward software defined infrastructure, containerization and serverless architecture will exacerbate the need for automation. The elasticity of a given environment may have a cadence that exceeds the staffs ability to document effectively without the help of automation.