Defining your data via data discovery and classification is the foundation for data security strategy. The idea that you must understand what data you have, where it is, and if it is sensitive data or not is one that makes sense at a conceptual level. The challenge, as usual, is with execution. Too often, data classification is reduced to an academic exercise rather than a practical implementation. The basics aren’t necessarily simple, and the existing tools and capabilities for data classification continue to evolve.* Still, there are several best practices that can help to put you on the road to success:
- Keep labels simple. At a high level, stick to no more than 3 or 4 levels of classification. This reduces ambiguity about what each classification label means. Lots of classification labels increases confusion and the chance for opportunistic data classification (where users may default to classifying data at a lower level for ease of access and use).
- Recognize that there are two types of data classification projects: new data and legacy data. This will help to focus the scope of your efforts. Commit to tackling new data first for maximum visibility and impact for your classification initiative.
- Identify roles and responsibilities for data classification. Consider data creators, owners, users, auditors (like privacy officers, or a risk and compliance manager), champions (who’s leading the classification initiative?). Data is a living thing and all employees have a role in classification. Classification levels may change over time as data progresses through its lifecycle or as regulatory requirements evolve.
- Start small. Roll out your data classification initiative to one department, group, division, etc. before expanding. Roll out based on risk based on group or data type; eg, R&D group, or classification for emails.
S&R pros, how have you set your firm up for success with data classification? What worked well, and what might have been hard lessons learned? Is there anything you would have done differently? I’d love to hear about your experiences as I refresh and update this 2014 report on Rethinking Data Discovery And Classification.
*Stay tuned! I’ll be kicking off new research in 2016 on the vendor landscape.