Data classification as an insurance to protect information

Data classification policy

Often, Indian organizations lack clarity in establishing confidentiality of their data. A well defined data classification exercise can address this. The thumb rule in data classification policy is to consider the company's specific nature of business and the law of the land. In the case of a company dealing in home loans, details like the customer's name, address, policy and EMI are confidential information, whereas in pharmaceutical and technology industries, intellectual property rights are the most confidential aspects.

The recent IT Amendment Act (2008) also compels corporate entities to secure customers' private data. Therefore, it becomes necessary to have a data classification policy irrespective of plans to deploy data loss protection (DLP) or document rights management (DRM). One must consult senior management while designing data classification policy, as they can provide perspective of what can make or break the organization. The exercise can form a part of information security policy which cuts across all departments.

The foremost step before undertaking a data classification exercise is to sensitize people about the significance of confidential data, and its need to be protected. One needs to look at it from a process-based approach.

For a recent data shield project at Reliance Capital, we undertook a data flow analysis. We studied the documented processes of each department. This analysis helped us to identify aspects such as who generates the data, its location, where it was passed, what is the use of that information, and the impact if it is lost.

More data protection resources Data protection strategies: Unraveling the data leakage riddle Tackling the data loss challenge Reliance Capital's DRM and DLP team up for data protection Leveraging DLP to gain customer confidence: The Cognizant way

Output of this activity could be that you will classify data as confidential, sensitive, private, public, etc. Then security controls can be put around the sensitive data to define people's roles, responsibilities and access rights. Information can then be made available on a need to know basis.

Data classification can also be integrated with the knowledge repository of the organization; it can be a knowledge management portal consisting of document process or excel sheets or proprietary tools.

The chief information security officer (CISO) plays a critical role in data classification exercises. A herculean task, it calls for excellent project management skills. The CISO will need to convince senior management, get budget approvals, collect buy-in of all the departmental heads as well as employees, coordinate the entire exercise, and simultaneously ensure that projects run on schedule.

It is also a give and take exercise. If you need HODs or business heads to participate in such initiatives, they need to be explained the benefits they can accrue from this. For instance, in our data flow review we often identified gaps in existing process, found ways to make the process more efficient or reduce cost.

Hire specialists

When talking about data classification exercises, there is the time and cost factor. This can vary with the size of your organization. Another thing that can help is taking third-party expert services. You can avail of time bound and fixed cost agreements with vendors instead of paying them per process or resource.

Instead of training and managing in-house resources specifically for a data classification exercise, it makes sense to hire a specialist. Although the framework is provided by the organization, a vendor is expected to bring his knowledge, experience and efficiency. There have also been talks of automating the entire process of data classification. However, it is at a nascent stage.

DLP and DRM implementation can actually be infused in the process of data classification. After classifying and identifying confidential data, data can be immediately controlled with access rights through DRM solutions and can also be protected from going out though fingerprinting techniques of DLP solutions.

Organizations keep on generating data. Hence the data classification process should be revisited every quarter or six months to incorporate additions.

(As told to Dhwani Pandya.)

Rate this Tip To rate tips, you must be a member of SearchSecurity.IN. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data loss prevention technologies Information rights management helps L&T protect its knowhow Interest in data leakage protection, event log management rises Considerations for buying and implementing DLP solutions Security trends for Indian organizations: The 2010 edition Leveraging DLP to gain customer confidence: The Cognizant way IT (Amendment) Act, 2008 has information security market on toes Using data loss prevention software to comply with new HIPAA policies Basic Database Security: Step by Step How Windows servers get hacked Five things to do before your first PCI DSS compliance audit Enterprise risk management strategies Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraud risk management is key to avoid Wipro-like incidents Business compliance management Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Fraud risk management is key to avoid Wipro-like incidents Security awareness is the key... cultivate employee loyalty Jim Reavis on cloud computing security and regulatory compliance The TCS Website hack: Don't let your company join the list RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.