Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

Why Data Classification is Key to Safeguarding Sensitive Information09 June 2015

By
Policy Development

When organizations set out to effectively allocate their resources, they often start with an analysis of their current environment that focuses on identifying opportunities where they can realize a high return-on-investment. One of the most critical initial tasks in this endeavor is to clearly document the location of the organization’s information (i.e., its data). Why is this important?

For one, the primary goal of cyber security is to safeguard and protect an organization’s data, and it’s difficult for an organization to have confidence that their sensitive data is adequately protected if they don’t have a clear understanding of the location at rest, the appropriate security level, and owner. Often, data classification of this nature presents a real challenge, with organizations struggling to determine where, exactly, their information resides and whether it’s secure.

What can you learn about data classification to make the process more efficient and effective for your organization?

Start with the Basics 
First, it helps to know the fundamentals. Some terms that are frequently associated with information classification are:

  • Information – Data that an organization possesses that is necessary for the organization to function. This information can be in either electronic or hard copy format.
  • Owner – Those individual(s) in the organization who are the primary person(s) responsible for the information in their functional area.
  • Custodian – This can be the owner or someone who has been assigned maintenance of the information by the owner.
  • Security classification – The level of security required based on the sensitivity of the information.

Determine and Refine the Process
Our experts at COMPASS recommend that organizations begin with a narrowly-scoped project in a high- value functional area, such as human resources or finance. In this initial project, focus on the following:

  1. Documenting the process.
  2. Identifying key participants.
  3. Identifying and exercising the tools that will be used.
  4. Demonstrating the value of the initiative to the organization.

Starting with a single, narrowly-scoped project allows you to refine the process that will be used and demonstrate to your organization the value of classifying their information.

Garner Support from Your Leadership Team
Another key component of a successful information classification program is ensuring that it has the support of the executive team. Make sure the executive team communicates their support to the organization and provides the resources to staff it appropriately. The tools used for this initiative can be as simple as a spreadsheet or one of the various software packages that allows you to not only catalog the information but also to “discover” the data.

The Benefits
Organizations that invest in an information classification program will have an improved view of their information and be able to efficiently protect their data and allocate resources. When additional data is collected, organizations can then make decisions and allocate resources that are appropriate for the sensitivity level of the data.

Not collecting and managing your information, on the other hand, puts your organization at risk of wasting resources — or worse, exposure of the data to malicious bad actors.

At COMPASS, we’ve developed a methodology that combines the discipline of project management with the latest cyber security technology and data-protection best practices to perform comprehensive, cost- effective assessments that can include information classification. Contact us to learn how COMPASS can help your organization develop a robust cyber security ecosystem.

Work With Us Learn How