Setting Yourself Up to Win: Guidance for Data Classification Success

Welcome to part five in our blog series on The Definitive Guide to Data Classification. The first four posts in the series have covered the fundamentals of data classification, how it can drive your information security strategy, how to best choose the right classification method for your business, and getting organizational support for your data classification program. In this installment we offer several tools designed to promote success in your classification program and keep your sensitive data where it belongs.

Frameworks to Rule the World

Frameworks sometimes get panned for being too simplistic but the reason they persist is the 80/20 rule. They may not get you to 100% (if that is even possible given the pace of business), as each company is different, but they give you a place to start your efforts with the guidance needed when it is all new. Forrester Research created a “Data Security & Control Framework” framework to guide you on your data protection journey. Their framework breaks the process of controlling and securing data into three steps: Define, Dissect, Defend. The first step includes data discovery and classification. With the knowledge of what type of sensitive data you have and where it is, you can kick off the Dissect and, ultimately, Defend steps.

Define the Iterative Process

Once your infosec team understands the value that data classification can bring, where do you start? Executive buy-in ensures you get the attention you need. To get alignment from the senior leadership team, use tips from our previous blog, Selling Data Classification to the Business. Next you need to document the goals, objectives, and strategic intent behind the classification projects; this plan will help you stay on course. Setting yourself up for success means not biting off more than you can chew; establish a realistic scope with limitations to reduce the likelihood for scope-creep.

Document it All

To be effective, your classification program needs a well-defined policy. This includes the right number of classification categories and clear mapping of your data to those categories. PricewaterhouseCoopers, among many security analysts and consultants, recommends you start with just three categories: Public, Private, and Restricted. Only if those three prove insufficient should you add more categories. Once you have your classification categories established, build a table that includes their definitions, example documents, repercussions if leaked, and the security controls in place for each. This table serves as your classification guideline.

Lay out the Ground Rules

Classifying your data consistently requires a structured approach that eliminates as much guesswork as possible. Forrester suggests evaluating data across three dimensions; ranking it as High, Medium, or Low with regard to Identifiability, Sensitivity, and Scarcity to build your data protection map. Data that ranks low across all three (e.g. a product datasheet) typically falls into the “Public” category. Data that ranks high across all three (e.g. payment card information or intellectual property) typically falls into “Restricted” category. Data that is a mixture of high, medium, and low rankings (e.g. upcoming press releases) typically resides in the “Private” category.

Data classification can give your data security program a boost in accuracy and effectiveness, but you need to follows some simple steps to set yourself up for success. Starting with a framework, following a process, documenting as you go, and applying a consistent approach all put you down the path of keeping your sensitive data successfully protected. For more tips for data classification success, read our eBook, The Definitive Guide to Data Classification.