One of the more difficult and time-consuming projects in info-sec is data classification. It’s especially difficult if you’re on a budget - which every company is. When an organization is fairly new to the security and risk driven mindset and must prioritize their efforts to achieve the most bang for their buck; Data Classification is often near the bottom of the list.
But why is it so tough?
- It’s dependent and intertwined with other projects and processes. A good asset inventory must first exist, of all repositories of data including cloud, paper, and that Access database that everyone forgot about that has an ODBC connection to sensitive data.
- It’s dependent and intertwined with culture. Data owners and custodians must understand their accountability and role to protect data. At its heart it’s not really an IT issue. It’s a business issue.
- It never ends. Any business is constantly changing, purchasing new software, or getting involved in mergers and acquisitions. Without good vendor risk management processes, your users can circumvent your thoughtful Data Classification Program.
One of the major reasons is that it gets pushed down on the risk register is because other issues can bring significant risk reduction with much less effort and cost. Document and rehearse your Incident Response Plans. Conduct an entitlement review on Active Directory. Get your scanning and vulnerability management under control. Implement MFA. All of these activities are higher on the list (and probably should be) than Data Classification.
With that being said, privacy laws are becoming more prominent and with GDPR and others, you may be exposing your business to substantial risk if Data Classification isn’t given sustained attention.
If you’re just starting Data Classification, here are the concepts in general terms.
- Create a policy. This policy should create a framework to break the data elements into buckets (for example: public, internal use only, or confidential) to avoid inconsistency in how data are protected. Choose which data elements elevate a data set to the higher level.
- Create a list of all data repositories. This means every single place that data could be stored. If you’re using a 3rd party vendor to store data, this doesn’t absolve you of your responsibility to ensure the data is adequately protected. This is usually where it gets difficult. Many businesses vastly underestimate the number of repositories they control. If you allow local admin rights, or people are free to use their private DropBox, it can be daunting. Your data could be literally anywhere that any end users chooses it to be. This is why it’s wise to get control of assets and software deployment first.
- Working with Asset Owners/Data Owners, decide who needs access to that data to do their jobs, set a schedule for entitlement reviews to catch terminations and transfers. A job role may need access to a CRM, a portion of a shared drive, an HR portal, and email. A data flow diagram that represents a standard process is very helpful to understand this. This step is where you might notice that the “everyone group” as rights to large swaths of your shared drive. (Where HR documents or spreadsheets full of passwords live)
- Ensure that repositories have adequate levels of protection according to your data classification. Perhaps you’ve decided that all “Confidential” data will be encrypted at rest, encrypted in transit, and have MFA enabled. This step is where you can note these deficiencies and begin working through them.
Of course, there is more, such as deciding and adhering to your data destruction policy and procedure. You should also assign a point person to drive this project over time. This Data Protection Officer (DPO), should be sufficiently high in the organization to drive change and be able to help others understand why it's important to accomplish the task. They’re also tasked with monitoring the regulatory environment, to understand the laws and regulations that may be applicable to your company.
In a nutshell, I’d focus on the following core concepts:
- Find where data could live
- Control who has access to that data
- Ensure there are protections for sensitive data
There are some tools that make finding unstructured data easier to find, and these can scour your network for data elements, but please understand that it might not be as turnkey as one might hope. This endeavor requires cooperation from department leaders and a culture shift. It’s a process, not a project.
If you would like consulting and guidance on how to build or refine your Data Classification program, please reach out to us at ProCircular as we would be happy to help.