As an information security practitioner, there are times when you look at the security landscape for your organization and think, wow, there are definitely areas we can improve on. Many of these areas, like Data Classification, are not necessarily easy to tackle and execution may even seem impossible!
What types of data needs to be protected?
There is a defined segmentation of data that needs protection – customer data. Putting forth the minimum required effort from a compliance standpoint is a shortsighted view of a larger data classification need, because there are so many other groups of data that fit into a grey area. In this grey area lives large quantities of private information that seemingly has no end, such as:
- Employee information that human resources maintains (salary, healthcare info, address, etc.)
- Information relating to mergers and acquisitions
- Access codes
- Combinations to vaults
- Minimum cash limits
How do we classify the sensitivity of this data?
It certainly doesn’t fall into the larger category of customer information, but it needs to be protected from exposure. What’s more, this inadequacy will start to expose itself when looking at initiatives such as DLP, rights management, DR, incident response, optimization, technology spend justification and now – cyber-insurance requirements.
Take the time to look at how you are classifying data, what types of data labels you are using, and how data classification feeds into larger initiatives. You may be surprised at how many areas this touches and how it can be leveraged to support the initiatives listed above.
If you need help understanding how Data Classification can help you, or if you need help building out a more comprehensive Data Classification scheme, please contact us at firstname.lastname@example.org.