In this CBR Tech Express, Danny Maher, Chief Technology Officer at HANDD Business Solutions, defines and explains data classification in five questions or less.
CBR: What is data classification?
DM: Data Classification is the process that involves putting a key identifier, which could be a label or metatag, on your data and raises awareness to the end user. It ensures the correct handling and monitoring of sensitive information both in and outside of a business, a critical aspect when it comes to protecting an organisation’s most valuable data.
CBR: What sort of systems or software are used in data classification?
DM: Data encryption, data governance, forensic, data loss prevention, identity and access management and user and entity behavioural analytics are all solutions that can be enhanced or complimented by the use of data classification.
CBR: What are the main business benefits of data classification?
DM: Data classification provides many business benefits including:
All organisations must comply with governing bodies, internal audits and mandates of some shape or form, data classification enables easy identification of an organisation’s most sensitive data and by ensuring that it’s appropriately protected the risk of falling foul to many compliance mandates will be greatly reduced.
Increased performance of existing security technology:
- Encryption: most organisations encrypt their data and by applying a metadata to sensitive content enables the organisation to focus on encryption of its most valuable assets.
- Data classification can be used alongside data governance and forensic solutions to clean up legacy data and reduce storage costs by bulk classifying sensitive assets as they are discovered and to ensure they are protected and only retained as long as is necessary as per the specified requirements for GDPR.
- Data Loss Prevention (DLP) tools can be enhanced by data classification as opposed to relying on the often-cumbersome process of creating rules. By adding a confidential label into the metadata, the DLP immediately knows that the data must not go off premise thus erasing the need to scan the entire content.
- Security Policy Extension into Identity Access Management (IAM) – identifying your data and storage locations also allows the extension of your security policy into IAM solutions so that only those with permission rights can access the data.
End User Empowerment
Data classification brings security to the front of the organisation by empowering its users. Many data leaks could be avoided if a data classification solution is in place. Adding visual labels to headers and footers helps to raise end user awareness and assist them in becoming more security focused and avoid sharing sensitive content on USB’s or third party portals.
CBR: Who in the organisation would be responsible for data classification?
DM: Typically, the responsibility for data classification would reside with the Chief Information Officer (CIO) or the Chief Information and Security Officer (CISO).
CBR: What impact will GDPR have on data classification?
DM: Another way of looking at it is what impact data classification will have on GDPR? Implementing a robust data classification strategy will be central to organisations complying with GDPR and is the perfect way to order and prioritise data based on its sensitivity be it finance or HR information or personal customer data. Using a “metadata tag” allows easy identification of data which in turn enables it to be appropriately protected and ensuring compliance.