Without effective data classification, information security remains a half-baked stew at best. In this context, jumping on to the best information security solution such as information rights management (IRM) without spending adequate time and thought on data classification is like constructing a building without laying the foundation. While data classification may seem like a mundane activity of classifying data in some silos of sorts, the truth remains that it does provide direction to your information security endeavors especially from an Indian context.
Obviously, you will not want to extend military grade security for ‘Public’ information. At the same time, you don’t want anything less than highest level of security for ‘Top Secret’ information. Data classification permits you to optimize your information security spending. Lack of data classification can also lead to expensive data breaches.
If you fail to classify data it can lead to severe data losses. For example, ChoicePoint, a US firm that provides information to insurance companies, lost the data of 1,50,000 consumers. Bank of America lost information on 1.2 million government employees. These failures were not failures of information security, but failure of inadequate data classification—one that cascaded into inadequate security. Very clearly, mistakes in data classification can be extremely expensive.
What are the possible mistakes in area of data classification? Thinking out loud, there
Considering data classification a technology issue: Although data classification is the precursor to many information security implementations, it is not a matter of technology. Data classification is a matter for business, and the method of data classification has to be decided by business – not technology. If the information security department or IT department plans and decides on data classification, not only will they prepare a bad data classification, but such an exercise is also likely to face resistance from business users.
Not getting ‘buy-in’ from the business side: The second mistake is closely related to the first one. Very clearly, if data classification is not a technological issue, it is a business issue. So the business team has to be evangelized about data security. This is more of a human relations and communication aspect than technological. Information security personnel are prone to live in their own cocoons, without making efforts or having the talent or skills to get ‘buy-in’ from the business side.
Complicating data classification: Striving to be ‘perfect’ may prevent a data classification exercise from being ‘good enough’. While trying to design the best possible data classification, there is a risk that one might make data classification extremely complicated. This may introduce errors while actually classifying data, or even worse, put people entirely off data classification. Planning a complicated data classification may lead to delays to the start of your data classification implementation.
Inadequate training: The fourth routine mistake is to inadequate staff training on data classification. This is different from getting ‘buy-in’ from management for data classification. Although getting buy-in is an executive decision, getting staff trained on data classification is essential to ensure that the ‘line’ as the administrative staff understands the nuances and finer points of data classification. Launching data classification without adequate training can be dangerous — many a time, it can even lead to huge data breaches.
Considering data classification as a mundane ritual: It’s important that staff realizes the importance of data classification and its pertinence to securing organizational information. Should the staff regard data classification as mundane activity and carry it out in cavalier manner, it could seriously jeopardize organizational wellbeing and sabotage any subsequent information security implementation.
Clearly, data classification is important and should be regarded as such. In light of above analysis one recommends following:
- Regard data classification as a business matter — not technology
- Get buy-in from the business side for data classification
- Design simple data classification
- Train staff well on data classification
- Ensure that your staff realizes importance of data classification
Data classification is not rocket science; yet mistakes in data classification are common. Just as a bright student is apt to make silly mistake during an examination, enterprises equally like to slip on the data classification front, perhaps due to its deceptively simple nature. However, understanding the importance of data classification and its business nature can help your company plan a data classification initiative with required cooperation from the business and implementation staff.
About the author: Prabhakar Deshpande is a seasoned IT professional with strengths in project management, business analysis, marketing and journalism. He works for Seclore Technology as a product evangelist.
This was first published in November 2012