FINAL WOR
2) Establish the scope
It’s important to establish where the
boundaries will be early on; otherwise it
can quickly grow out of control. This is
particularly important when considering
partners and third parties. How far into
their network, will/can/do you want to
reach? Equally important is legacy and
archived data. Where is it and how will it
be protected? Finally, make sure to note
anything that’s out of scope and ensure this
is evaluated and adjusted regularly.
3) ‘Discover’ all sensitive data
defined in the scope
Once data policy and scope have been
established, the next task is to identify
all the sensitive data that requires
classification and protection within the
business. Firstly, understand what data
it is you are looking for. This could take
many forms, ranging from personally
identifiable information, payment card
numbers and healthcare records through
to business IP, source code and proprietary
formulas etc. Next, focus on where this
For channel
partners,
providing data
classification to
clients provides
a prioritised
list of their
data assets and
enables them
to focus the
controls on the
most important
data.
data is likely to be found, from endpoints
and servers, to on-site databases and in the
cloud. Remember that discovery is not a
one-time event; it should be continuously
re-evaluated, taking into account data at
rest, data in motion and data in use across
all business platforms.
the ability to track, classify and protect
it is no longer a luxury. An effective
data classification strategy should form
the cornerstone of any modern security
initiative, allowing businesses to quickly
identify the data most valuable to them and
ensure it is safe at all times.
4) Evaluate appropriate solutions
When the time comes to identify an
appropriate data classification solution,
there are plenty from which to choose.
Many of the best solutions today are
automated and classification can be
context (file type, location etc) and/or
content-based (fingerprint, RegEx etc).
This option can be expensive and require
a high degree of fine-tuning but, once
up and running, it is extremely fast and
classification can be repeated as often
as desired. An alternative to automated
solutions is a manual approach, which
allows users themselves to choose the
classification of a file. This approach relies
on a data expert to lead the classification
process and can be time intensive, but in
businesses where the classification process
is intricate and/or subjective, a manual
approach can often be preferable.
A final option is to outsource the
classification process to a service provider
or consulting firm. This approach is rarely
the most efficient or cost-effective, but can
provide a one-time classification of data
and give any business a good idea of where
it stands in terms of compliance and risk.
5) Ensure feedback mechanisms
are in place
The final stage is to ensure there are
effective feedback mechanisms in place
that allow swift reporting both up and
down the business hierarchy. As part
of this, data flow should be analysed
regularly to ensure classified data isn’t
moving in unauthorised ways or resting
in places it shouldn’t be. Any issues or
discrepancies should be immediately
flagged for follow up.
With data now playing a pivotal role in
nearly every business around the world,
65