A global insurance and reinsurance organization; the client was founded in 2002, and have over 1,200 employees based across 11 countries.
A number of reasons, including significant regulatory changes (GDPR, NYDFS etc.) and a number of third parties dealing with client data meant the Client needed to implement a data classification solution which would be globally adopted and allow for classification consistency across the organization, while ensuring all sensitive data remained secure.
There were a number of reasons that the Customer decided to look for a classification solution. In 2015, as part of the Cyber Security Strategy planning within the organization, it was agreed that they needed to be able to identify their key risks. An external risk review was performed throughout the organization, and one of the given recommendations was that they should develop a classification policy to enable them to have a better risk view of their data in the event of a security breach. This was something that struck a chord with the Customer’s security team; the ever increasing risks and costs associated with data breaches and data loss incidents are only too apparent these days. Therefore, they needed to ensure that the data they hold and process is as secure as possible.
Furthermore, there was also an additional risk to the organization, in that the Customer relies on many 3rd parties who deal with client data. For this reason it was crucial to ensure that all data is protected adequately no matter where it travelled and who has access to it.
There have also been significant regulatory changes, with a stronger emphasis on security breach penalties, which the Customer needed to ensure they are compliant with. These include the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, and new regulations implemented by the New York State Department of Financial Services (23 NYCRR 500), which was effective as of March 2017, with new phases being rolled out up until 2019.
The Customer’s first step of implementing a data classification solution was to ensure they had a fully working information classification policy. To create this they involved the business community beyond the IT and Security department in order to get company-wide buy in to the data classification project.
When the Customer began looking for a data classification solution, they knew they needed something that would integrate well in an unstructured data environment, was end-user friendly and had a good reporting functionality. Having looked at the products available, the Customer chose Fortra's Classifier Suite as the stand-out product in the market, and the one they wanted to implement throughout the organization.
Initially, an implementation pilot was run with a few key members of the IT team, and then extended out to a list of pilot users put together by the Group’s Global Heads. This extended pilot allowed the organization to iron out the naming conventions they had initially chosen, and ensure that all classification labels would be understood correctly by users.
In line with commencing the full global roll out, the Customer ensured they had a well-planned and comprehensive communications strategy in place to educate new users. This included assets such as explanatory blog articles, C-Level emails to all staff, a series of e-shots with links to informative information, breakfast briefings, and lunch and learn sessions. Alongside all the materials they had in-house, the Customer also wanted a custom-made “how-to” video, which guides users through the classification process specific to their organization – something the Fortra's Classifier Suite team were able to create for them in time for the roll out.
Following the completion of the global roll-out, the Customer plans to again review the policy structure and rules to ensure that the software is working to exactly the right standards for the organization. They also plan to integrate Classifier with their Data Loss Prevention (DLP) framework, enhancing the solution effectiveness. Implementing a data classification solution has allowed the Customer to work together as a global organization towards a unified data strategy, while ensuring their sensitive data is protected at all times – and lays a strong foundation for effective data security well into the future.