Getting To Grips With Data Classification

Sean Glynn,

Data classification has to be done, so where do you start, where do you stop and what do you do the in the meantime? Credant’s Sean Glynn explains.

Data classification is not a new concept. It is a fundamental requirement for information security, and the consequences of failing to fully implement a data classification scheme can be disastrous. Nevertheless, while many organisations start data classification projects they all too often struggle to complete them.

Data classification essentially means assigning a level of sensitivity to data used by an organisation, and it forms a critical component of Information Lifecycle Management (ILM). While classification systems vary from country to country, and indeed organisation to organisation, most have levels corresponding to the following general definitions (from the highest level to lowest): top secret; secret; confidential; restricted (or sensitive); and unclassified.

While computer programs exist that can help with data classification, ultimately it is a subjective business and is often best done as a collaborative task that considers business, technical, and other points-of-view. Different departments within an organisation all need to be consulted and will have different views on what is, and isn’t, sensitive and how it is best protected.

An additional aspect to consider is whether a document that is confidential today will remain so for the duration of its life. For example, a public company’s financial results will be extremely sensitive prior to announcement yet, once in the public domain, confidentiality is no longer an issue.

With so many people involved in the decision process, and the constantly changing status of information, it is easy to see what causes delays or even the complete downfall of many data classification projects.

Practical Tips for Implementing a Data Classification Scheme

With these challenges identified, we’ve outlined some practical approaches to implementing a data classification scheme to help you get started:

  • Understand what is realistically achievable: If you’ve ever tried to do everything at once you’ll recognise that inevitably nothing gets done and the same is true with data classification. That said, it is equally true that something is better than nothing. By breaking the project down into smaller, targeted and manageable pieces with regular reviews and implementation targets, you will start to chisel away at the task.
  • Set the bar at a realistic height: There are varying degrees of discipline and compliance with a data classification project. Unfortunately, not every organisation is lucky enough to have a completely disciplined workforce so, if there is likely to be resistance, opt for a simpler scheme  rather than one that is overly regimented or complex and so likely to cause resistance  among users.
  • Keep your friends close and your enemies closer: Regardless of how rigid or simplistic your control strategy is, it is going to need support from others within the organisation if it’s to be accepted and embraced. By consulting with key individuals early on in the process, and ensuring they feel part of its design and introduction, the project is less likely to receive hostility during its implementation.
  • Approve the data classification strategy asap, even if full implementation is delayed. First, it costs nothing at this stage; secondly, any new systems can be designed with data classification in mind, narrowing the implementation burden to existing systems; and finally, if confidential information is inadvertently disclosed, the security program can point to the classification strategy and push accountability to the line of business managers that have not yet implemented it.
  • Use regulation to argue your case: Increased legislation is one of the most effective tools that can be used by a security program. Reference these regulations to bring awareness of the need for data classification and give the security program the necessary muscle and support to get implemented.
  • Classify networks instead of data: For organisations where classification of data appears to be an unreachable goal, try classifying the networks instead of the data.  Whilst network classification is not a trivial exercise, it is often easier than the implementation of a comprehensive data classification scheme for data that is digitally stored in large organisations.
  • Something is better than nothing: While you’re going through the process of identifying your sensitive data and how best to protect it, it will quickly become clear if you have sensitive data that needs protecting. A comprehensive endpoint data encryption solution, protecting data where it resides on laptops, desktops, smartphones and the now ubiquitous USB Thumb Drives everyone seems to use, is an important tool that can be rolled out across the organisation, even before a data classification project is completed, and can then be utilised moving forwards. However, be warned, not all encryption solutions offer the same protection. Ideally, you need something that:
    – can be rolled out, managed and maintained centrally
    – is user specific, not device dependant, so that even if a PC is shared the users data isn’t
    – will be enforced so users can not circumnavigate its use
    – covers all forms of data regardless of the program in which it is created; the network where it resides or the device it is carried on
    – should not impede the device’s performance

There is no short cut to faster data classification but there are solid arguments for why it should be undertaken – correctly. While it is true that information can’t be adequately protected if there’s no way of tracking its location, value and sensitivity to leakage, equally while it’s waiting to be rated it is vulnerable to exploitation. If you know you’ve got valuables somewhere in the building, you install an alarm system and make sure entry and exit points are secured – shouldn’t you at least do the same for your data?

Classification Definitions

Top Secret (TS): The highest level of classification of material on a national level. Such material would cause “exceptionally grave damage” if made publicly available.
Secret: Such material would cause “grave damage” if it were publicly available.
Confidential: Such material would cause “damage” or be “prejudicial” if publicly available.
Restricted: Such material would cause “undesirable effects” if publicly available. Some countries do not have such a classification.
Unclassified: Technically not a classification level, but is used for documents that do not have a classification listed above.

Sean Glynn is vice president of product development at Credant Technologies

Data classification is not a new concept. It is a fundamental requirement for information security, and the consequences for failing to fully implement a data classification scheme can be disastrous. Nevertheless, while many organisations start data classification projects they all too often struggle to complete them. This article outlines what should be included in a data classification project, examines why many fail to get off the ground and the steps companies should take to protect sensitive data while it’s in progress.

Data classification essentially means assigning a level of sensitivity to data used by an organisation, and it forms a critical component of Information Lifecycle Management (ILM). While classification systems vary from country to country, and indeed organisation to organisation, most have levels corresponding to the following general definitions (from the highest level to lowest): top secret; secret; confidential; restricted (or sensitive); and unclassified.

While computer programs exist that can help with data classification, ultimately it is a subjective business and is often best done as a collaborative task that considers business, technical, and other points-of-view. Different departments within an organisation all need to be consulted and will have different views on what is, and isn’t, sensitive and how it is best protected. An additional aspect to consider is whether a document that is confidential today will remain so for the duration of its life. For example, a public company’s financial results will be extremely sensitive prior to announcement yet, once in the public domain, confidentiality is no longer an issue.

With so many people involved in the decision process, and the constantly changing status of information, it is easy to see what causes delays or even the complete downfall of many data classification projects.

Practical Tips for Implementing a Data Classification Scheme
With these challenges identified, we’ve outlined some practical approaches to implementing a data classification scheme to help you get started:

· Understand what is realistically achievable: If you’ve ever tried to do everything at once you’ll recognise that inevitably nothing gets done and the same is true with data classification. That said, it is equally true that something is better than nothing. By breaking the project down into smaller, targeted and manageable pieces with regular reviews and implementation targets, you will start to chisel away at the task.

· Set the bar at a realistic height: There are varying degrees of discipline and compliance with a data classification project. Unfortunately, not every organisation is lucky enough to have a completely disciplined workforce so, if there is likely to be resistance, opt for a simpler scheme ratherthan one that is overly regimented or complex and so likely to cause resistance among users.

· Keep your friends close and your enemies closer: Regardless of how rigid or simplistic your control strategy is, it is going to need support from others within the organisation if it’s to be accepted and embraced. By consulting with key individuals early on in the process, and ensuring they feel part of its design and introduction, the project is less likely to receive hostility during its implementation.

· Approve the data classification strategy asap, even if full implementation is delayed. First, it costs nothing at this stage; secondly, any new systems can be designed with data classification in mind, narrowing the implementation burden to existing systems; and finally, if confidential information is inadvertently disclosed, the security program can point to the classification strategy and push accountability to the line of business managers that have not yet implemented it.

· Use regulation to argue your case: Increased legislation is one of the most effective tools that can be used by a security program. Reference these regulations to bring awareness of the need for data classification and give the security program the necessary muscle and support to get implemented.

· Classify networks instead of data: For organisations where classification of data appears to be an unreachable goal, try classifying the networks instead of the data.  Whilst network classification is not a trivial exercise, it is often easier than the implementation of a comprehensive data classification scheme for data that is digitally stored in large organisations.

· Something is better than nothing: While you’re going through the process of identifying your sensitive data and how best to protect it, it will quickly become clear if you have sensitive data that needs protecting. A comprehensive endpoint data encryption solution, protecting data where it resides on laptops, desktops, smartphones and the now ubiquitous USB Thumb Drives everyone seems to use, is an important tool that can be rolled out across the organisation, even before a data classification project is completed, and can then be utilised moving forwards. However, be warned, not all encryption solutions offer the same protection. Ideally, you need something that:

­ can be rolled out, managed and maintained centrally

­ is user specific, not device dependant, so that even if a PC is shared the users data isn’t

­ will be enforced so users can not circumnavigate its use

­ covers all forms of data regardless of the program in which it is created; the network where it resides or the device it is carried on

­ should not impede the device’s performance

There is no short cut to faster data classification but there are solid arguments for why it should be undertaken – correctly. While it is true that information can’t be adequately protected if there’s no way of tracking its location, value and sensitivity to leakage, equally while it’s waiting to be rated it is vulnerable to exploitation. If you know you’ve got valuables somewhere in the building, you install an alarm system and make sure entry and exit points are secured – shouldn’t you at least do the same for your data?

Box Out : Classification Definitions (86 words)

Top Secret (TS): The highest level of classification of material on a national level. Such material would cause “exceptionally grave damage” if made publicly available.

Secret: Such material would cause “grave damage” if it were publicly available.

Confidential: Such material would cause “damage” or be “prejudicial” if publicly available.

Restricted: Such material would cause “undesirable effects” if publicly available. Some countries do not have such a classification.

Unclassified: Technically not a classification level, but is used for documents that do not have a classification listed above.