In the last few years, there has been a dramatic shift from data classification being a “nice to have” tool, to becoming a necessity.
Behind this momentum, private companies and organizations are implementing data classification using “traditional” taxonomies and schemas that work for governments and militaries but don’t necessarily translate well into the workflow or culture of commercial enterprises.
Many of our first customers were large government and military organizations who were familiar with the concept of classification.
We all remember the “secret” and “top secret” rubber stamp with red ink used to classify paper documents and files before the dawn of digital productivity tools.
As a result, when government and military customers began to deploy data classification into their organizations, their users were already well educated on the meanings and appropriate use of the classification taxonomies within the policy.
Since data classification has moved into commercial enterprises, the template for classification has remained unchanged.
As a result, many enterprises have struggled to find a way to align classification labels and policies to meet their own unique needs.
As private industries, such as banking, finance, and healthcare to name a few, adopt classification, Fortra’s Data Classification Suite has been helping our customers adapt to taxonomies and policies for faster user adoption and more flexible security policy options.
Related Reading: Data Classification: The Cornerstone of Regulatory Compliance
Enter data categorization
In recent years, we’ve seen the likes of analyst firm Forrester pushing organizations to start thinking beyond a traditional classification taxonomy focused exclusively on sensitivity (Public, Confidential, Highly Confidential, Secret), into actually using data categories to help determine sensitivity.
While some organizations might be able to adopt a standard taxonomy, using basic levels of classification, most – particularly those organizations operating in highly regulated industries – will need a more granular classification taxonomy, and may struggle to trust that their users will select the right classification.
Will they be able to discern when something is sensitive enough to be upgraded from “Internal” to “Restricted”?
While we can present users with classification label definitions, and even use automated algorithms to provide classification suggestions, there remains a feeling that assigning sensitivity is so new to users that they might not get it right.
This is where the concept of data categorization enters the discussion – rather than asking employees about the sensitivity of the data, ask employees to identify the category of the data.
For example, most employees don’t know the difference between “highly confidential” and “confidential,” but they can tell you if a document contains employee information or intellectual property and if it’s approved for public use.
Once the category is assigned by the user, the automated algorithms have new information that can be used (along with the information content, the user profile, and other contextual factors) to automatically assign the appropriate classification.
Categorization can be simple yet powerful.
Several Fortra’s Data Classification Suite customers have adopted categorization to help them comply with onerous regulations such as ITAR, and CUI with the simplest of questions:
“Does this information contain technical data, Yes or No?”
If “No” then move on.
If “Yes” then a couple more questions are presented to guide the users to the right selections.
Categorization is another way in which Fortra’s Data Classification Suite helps to make sure your data classification and data identification initiatives are as simple and successful as possible.
We’re a leader in data classification
Fortra’s Data Classification Suite enables organizations to confidently share information while complying with government and industry regulations.
Our data classification solution – a 2020 Cybersecurity Excellence Award winner – provides the essential classification tools to clearly inform both your people and your policies on what information should be secured and how to handle it.