February 25, 2016
Sensitive Data Classification
Data classification is simple—it entails taking security measures by assigning a level of sensitivity to each piece of information, making it easier to locate and retrieve. Classifying data is essential in enabling enterprises to make sense of their vast amounts of data. Without sensitive data classification, an organization treats all data as if it were the same. You can’t know the level of sensitivity of any specific data because it hasn’t been properly categorized. Failing to classify data increases the risk of it being compromised. It also increases the possibility that you could be placing security controls on data that isn’t, in fact, in fact sensitive, leading to loss of productivity and efficiency.
This eBook highlights how you can classify your data so you can reduce your sensitive data footprint. Here are a few highlights from the eBook:
Treat Sensitive Data Differently
Your organization creates, stores and manages lots of data, some of which is sensitive and some not. For instance, a digital calendar stored on your server listing national holidays is public information, while a spreadsheet with employee Social Security numbers and driver’s license numbers are highly sensitive and should be restricted data.
To protect your sensitive data, first you need to locate it. Once that’s done, your next step should be to properly classify it, which means assigning a level of sensitivity to each piece of information, making it easier to locate, retrieve and protect.
Decide What’s Sensitive for Your Organization
Each business will define sensitive data differently, and each regulation has varying levels of compliance requirements. For example, the HIPAA regulation has up to 18 identifiers of sensitive data that must be protected. On the flipside, the PCI DSS regulation has one identifier, which is cardholder data. You can use the CIA triad—confidentiality, integrity, and availability—as a model to determine what data is and isn’t sensitive.
Formulate Your Data Classification Framework
As the potential impact level of a piece of information moves from low to high, the sensitivity increases, and therefore, the classification level of data should become higher and more restrictive.
Protect Data Covered By Regulations
Some data that you classify as sensitive will be unique to your organization, but others are covered by regulations and are sensitive for all organizations. Complying with laws and regulations is obviously essential—but remember that compliance does not equal security. To protect all your sensitive data, you need to look beyond data covered by regulations and security policies identify your company-specific sensitive data.
Shrink Your Sensitive Data Footprint
The Sony Pictures data breach in 2014 makes a good case for shrinking your data footprint. A big part of the problem for Sony was that they had 601 files containing Social Security numbers and over 3,000 Social Security numbers that appeared more than 100 times. Such a proliferation of sensitive information makes it extremely difficult to prevent breaches. Once you reduce your footprint, it’s easier to take security measures to protect your sensitive data.
Search Every Device You Own
If you’re wondering where you need to search for sensitive data, here’s a guideline: If your company owns the hardware, you need to make sure it doesn’t contain unprotected sensitive information. That means you have to search wherever your employees are storing data, including cloud services and in shared spaced like file servers, in databases and even images. Beware of “dark data,” which is operational data that’s no longer being used. Eliminate it when you find it.
Implement Automated, Persistent Classification
Educating data producers, consumers and owners about their roles and responsibilities in protecting sensitive data and empowering them to help reduce your exposure is critical to shrinking your footprint. You can do this by adding more information to a file—the metadata for the file can contain information about how much sensitive data is contained within it. Ideally, though, you should make the process automatic, so that as new data gets created, real time-monitoring automates the classification process. In this way, sensitive data discovery and data classification become a persistent and real-time answer to the question of where your sensitive data is and how data consumers should handle it.
Reduce the Risk of Sensitive Data Exposure
Sensitive data classification is key to reducing your sensitive data footprint and thereby reducing the risk of having that sensitive information exposed-and suffering the consequences. At the highest level, your goals for a sensitive data management program should be to:
- Know what to secure and what is public information
- Right-size your controls by setting data classification levels —don’t apply a one-size-fits-all strategy for access and protection
- Minimize the volume of sensitive data—delete what you don’t need and reduce the number of locations where the data is stored to protect confidentiality
- Data Classification Policy – Develop your ecosystem of protection—educate employees about their roles, automate data classification and establish a clear data security policy
You can read more about this topic by downloading the “Classify Your Data to Shrink Your Sensitive Data Footprint” eBook.