The 5 Steps to Effective Data Classification:
- Identify your sensitive and high value data
- Discover the location and accessibility of your sensitive data
- Classify data according to its value to the organization
- Secure: employee security control and protection measures
- Monitor: measure and evolve security practices
Using data classification as part of a strategy to secure corporate data assets is sometimes referred to as "locking up the crown jewels." But data security neither starts nor ends with the act of controlling access to information. Nor should a security policy be limited to protecting only the most valuable data; even less critical information can damage the business if it’s lost or leaked at the wrong time.
First, you need to build a strong foundation of knowledge around your data, to understand exactly what you hold and the potential risks to its security. Picture your organization as the Tower of London. If you don’t know where your crown jewels (and less sparkly assets) are, you’ll end up locking every door – or leaving the wrong doors open, exposing them to risk.
This process begins with identifying the types of data that are of greatest importance to the business, so you can pinpoint where you need to focus protection and controls.
Your most valuable and sensitive data (your crown jewels) might include:
- Data assets – such as the information on a CRM database
- Business-critical documents including strategic plans and agreements
- Documents or information that are subject to regulations
- Intellectual property (IP), such as product designs and technical specs
- Personal information – for instance, employees’ details
More often than not, however, a company’s most vulnerable point will not be its crown jewels; it’s likely they’ll already have been recognized and heavily protected. It’s the more everyday sensitive data that people don’t think about, like customer lists, contracts, or time sensitive documents such as company results and press releases that are most likely to be leaked or lost. This data must also be identified and protected.
A helpful way of determining the value of a piece of information – and the risks to be managed – is to think about the impact if it was leaked or lost. Would it harm the business, for example by damaging the brand, incurring a fine from the regulators (for breaching the EU GDPR, for example) or eroding competitive advantage? If it got into the public domain, would it expose your customers, partners or suppliers? Would it put an employee’s security or privacy at risk? Would you be breaching a contract?
Once you’ve defined the data that is most at risk, you can start to find out where your sensitive data is located.
Dive Deeper
This guide will take you through the 5 steps to implementing effective data protection within your organization, and detail how data classification can also enhance previously implemented tools, such as data loss prevention tools (DLP), data discovery tools, data governance tools and more.