|
Data Classification Policies – Forgotten Purpose
by Drazen Drazic |
|
Data Classification. I’m not sure I have ever seen an implementation of a Data Classification policy that I would say, is very successful. It’s a scary thought given that Data Classification is a key foundation policy for Information Security.
For those who have implemented a Data Classification policy, ask yourself these questions. (For those that haven’t, think about this before you do try to implement such a policy):
1. What did we try to achieve with this?
2. Is our approach consistent across the Enterprise?
3. Is the policy achieving what we set out for it to do?
4. Do we truly understand why we did this?
The latter is the key question I would pose to most organizations that have implemented a Data Classification policy. For many organizations I have dealt with on this topic, the purpose seems to have been forgotten.
For most organisations, the work stops at the actual “classification” component. “Okay, you’ve classified the data, now what?”…Leading to:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Free Guide: Avoiding 7 Common Mistakes of IT Security Compliance
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5. Is the Data Classification policy supported by Data; Storage, Transmission and Disposal policies?
It’s amazing how many organizations believe they have successfully implemented a Data Classification policy but do not have these supporting policies. “What do we need those for?”, being a very typical response.
Well for a start, and think about it if you’re not with me at the moment; what’s the purpose of classifying data if you don’t have these accompanying rules for the “treatment” of the data? And therein lies the problem with most Data Classification policy implementations. Do I need to go on? I think you can put the rest of the pieces into place yourself.
Most organizations these days have security policies, but how often do organizations review their policies – what’s working, what isn’t, what’s relevant, is it being done correctly? We all know that most organizations don’t do this as often as they should, and many never. If they were, most of our industry wouldn’t be as busy as we are. (Well the last point is debateable). Organizations need to look at their policies like Data Classification and understand what the purpose of those policies was/is. Without that, the policies are not worth the paper or rather disk space they are written on.
Tags: Data Classification, Data Classification Policies
This entry was posted on Friday, October 23rd, 2009 at 4:47 PM and is filed under Community Manager, Guest Bloggers, Information Technology, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
|
| Our New Offices... Our offices recently underwent a redesign of its own. Here are some photos of our new digs.... How To Find Your Next Job Using Social Media I'm attending the next WebGuild Event on an interesting topic about yet another means for tapping into your social network: How To Find Your Next Job Using Social Media. The event is on Tuesday, August 17, 2010 from 6-9:00 PM... POLL: Treatment of Link Tips Versus Standard Links We've been working on better differentiating on our site standard hyperlinks from link tips which render a popup callout bubble. What's your vote? QUESTION 1: Option 1: Do you prefer the 'help' cursor onmouseover for link tips? Option 2: Or... |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Cloud Identity, Trust and the Liability Elephant. I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on... Greek Heroes, Facebook and Trust When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that... PCI for the Cloud For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us... |
|
