Data classification, a foundation for compliance
The slew of data breaches seen over the past year, and increasingly stringent regulatory environments are driving businesses to tighten their data security. In order to do this though, object level security must be correctly implemented, and data properly classified.
So says John Mc Loughlin, MD of J2 Software, a distributor of managed security services provider, SkyView Partners' solutions. "To classify data, all the data that resides within the business must be analysed, its value and sensitivity determined, and then a category assigned to it. A company's most valuable and sensitive data must be classified to ensure it is handled properly, to in turn, remain compliant. Only once data is properly classified, can IT administrators and security practitioners know how it must be stored, who can access it, and how long it must be stored for."
The first step, Mc Loughlin says, i
s determining who has access to the data. "The roles of any employees with access must be defined. For example, only HR and payroll need have access to employees' salary details, and sales and marketing staff would have no need for accounts payable and so on."
Secondly, he says to establish how the data is secured. "Is the information available to all, or are defaults and limits set? "It's all very well to determine who has access to the data, but this is only the first step. The type of access needs to be defined too – whether they can access but not update for example. Controls can be set to deny access to everyone but those who cannot do their jobs without that data. The principle of least privilege is good to enforce, and can prevent sensitive data from falling into the wrong hands."
Thirdly, Mc Loughlin says to decide how long the data must be kept for. "Different countries and industries have different requirements around data retention. Financial services would have longer retention periods for obvious reasons. The employees in charge of the data, and the CIO must have a thorough knowledge of any regulatory requirements for the storage and retention of their data. Should there be no requirements in place, the length of time the data is kept for must be determined by the needs of the organisation."
Next he says, comes the disposal of the company's data. "For many types and classifications of data, the disposal method is neither here nor there. However, extremely sensitive data must be disposed of accordingly though cross-shredding or other secure methods. Some data would require staff PCs to be 'scrubbed' after files containing privileged information are deleted."
In terms of data usage, a policy should be formulated, determining which data can be used in which context. "For example, it must be decided if certain information is for use only within the organisation, or restricted for use by only chosen employees, or whether it can be used publicly, outside the business," Mc Loughlin adds.
In today's climate of burgeoning cyber crime and tightening legislation, security practitioners are kept very busy. Proper classification of data will help them to focus their attention on the businesses' most sensitive and crucial information, and make sure it is handled and secured appropriately, and will help them remain compliant with the current regulations.