8 Steps Security Leaders Follow to Classify Sensitive Data
Data classification assigns a level of sensitivity to each piece of information within your enterprise. This makes it easier to locate and retrieve potential security risks before the bad actors do. Those who choose not to classify their data, put their faith in an imperfect security system. Security leaders must consider these 8 steps when classifying their data.
Step 1: Treat Sensitive Data Differently
Every organization creates, stores, and manages lots of information, including sensitive data. Information such as holiday appointments in calendars are not sensitive. But a spreadsheet with employee Social Security numbers and driver’s license numbers are highly sensitive. Both are buried in the enterprise. Both are not created equal.
To protect the sensitive data, it must be located, then classified. This process should include the assigning of a level of sensitivity to each piece of information. By treating sensitive data differently, it becomes easier to locate, retrieve and protect.
Step 2: Decide What Sensitive Data Means
Each business will define sensitive data differently. To complicate matters, various state and federal regulations define sensitivity differently. For example:
- HIPAA regulation has up to 18 identifiers of sensitive data that must be protected.
- PCI DSS regulation has one identifier, which is cardholder data.
- CIA triad (confidentiality, integrity, and availability) defines which data is and isn’t sensitive at a high level.
Step 3: Define the Data Classification Framework
The potential security exposure of a piece of data can vary. As the exposure level increases, its classification must reflect this. By mirroring exposure with classification standards, security leaders can better trust their chosen framework.
Step 4: Go Beyond Regulatory Compliance
Some data that is classified as sensitive will be unique to an organization. Others that are defined as sensitive by regulations are universal to all organizations. In this case, regulatory compliance is essential. But compliance does not equal security. To protect all sensitive data, security leaders must look beyond the data covered by regulations and security policies. They must also look at the company-specific sensitive data.
Step 5: Shrink the Sensitive Data Footprint
The Sony Pictures data breach in 2014 makes a good case for shrinking the data footprint. The scale of the data footprint was massive, making it impossible to protect.
- 601 files containing Social Security numbers
- 3,000+ Social Security numbers that appeared more than 100 times.
Such a proliferation of sensitive information makes it extremely difficult to prevent breaches. However, once the sensitive data footprint is reduced, it’s easier to protect.
Step 6: Search Every Enterprise-owned Device
Security leaders need to assure all hardware does not contain unprotected sensitive information. That means a search must be conducted wherever employees are storing data. This includes cloud services and in shared spaced like file servers, in databases and even images. Beware of “dark data,” which is operational data that’s no longer being used. These potential blind spots must be found and eliminated.
Step 7: Implement Automated, Persistent Classification
Educating data producers, consumers and owners about their roles and responsibilities in protecting sensitive data and empowering them to help reduce your exposure is critical to shrinking your footprint. Those who produce data must be educated on how to protect their sensitive data. This means the following:
- Communicate Roles and responsibilities clearly to the team
- Add unique identifies to file metadata to indicate sensitivity
- Automate the process such that as new data gets created, real time-monitoring automates the classification process.
- Make the data classification process a persistent and real-time.
Step 8: Reduce the Risk of Sensitive Data Exposure
Sensitive data classification is key to reducing the sensitive data footprint. When doing so, the risk of having that sensitive information exposed is greatly reduced. This sensitive data management program should provide clarify in the following ways:
- Know what to secure and what is public information
- Right-size controls by setting data classification levels. Don’t apply a one-size-fits-all strategy for access and protection
- Minimize the volume of sensitive data. Delete what is not needed and reduce the number of locations where the data is stored to protect confidentiality.
- Implement a clear Data Classification Policy
- Educate employees about their roles
- Automate data classification
Data classification makes it easier to locate and retrieve potential security risks before a breach will occur. To do nothing and not classify the data, the risk of security exposure greatly increases. Outlined above are the 8 steps Security Leaders must follow to classify and secure their data.
See how Spirion follows the 8 steps to classify and protect sensitive data. Schedule a customized risk assessment with one of our data security experts to see our data protection solutions in action.