Data Classification. I’m not sure I have ever seen an implementation of a Data Classification policy that I would say, is very successful. It’s a scary thought given that Data Classification is a key foundation policy for Information Security.
For those who have implemented a Data Classification policy, ask yourself these questions. (For those that haven’t, think about this before you do try to implement such a policy):
1. What did we try to achieve with this?
2. Is our approach consistent across the Enterprise?
3. Is the policy achieving what we set out for it to do?
4. Do we truly understand why we did this?
The latter is the key question I would pose to most organizations that have implemented a Data Classification policy. For many organizations I have dealt with on this topic, the purpose seems to have been forgotten.
For most organisations, the work stops at the actual “classification” component. “Okay, you’ve classified the data, now what?”…Leading to:
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
5. Is the Data Classification policy supported by Data; Storage, Transmission and Disposal policies?
It’s amazing how many organizations believe they have successfully implemented a Data Classification policy but do not have these supporting policies. “What do we need those for?”, being a very typical response.
Well for a start, and think about it if you’re not with me at the moment; what’s the purpose of classifying data if you don’t have these accompanying rules for the “treatment” of the data? And therein lies the problem with most Data Classification policy implementations. Do I need to go on? I think you can put the rest of the pieces into place yourself.
Most organizations these days have security policies, but how often do organizations review their policies – what’s working, what isn’t, what’s relevant, is it being done correctly? We all know that most organizations don’t do this as often as they should, and many never. If they were, most of our industry wouldn’t be as busy as we are. (Well the last point is debateable). Organizations need to look at their policies like Data Classification and understand what the purpose of those policies was/is. Without that, the policies are not worth the paper or rather disk space they are written on.