A project arrives on an IT manager's desk with all of the documentation complete, the scope and size of the service...
defined, and a very compelling executive summary. Yet the request is declined. Why?
The answer lies with creating a data classification policy. Many companies still fail to apply a data classification profile from their IT policy to a project. They assume that when the system goes live, their archiving tool of choice will handle the rest.
This mistake probably causes the most pain within many small- and medium enterprises (SMEs) today because they probably never had the budget to deploy data classification as a programme of works or couldn't get the needed support to employ data classification best practices.
Data classification best practices enable organisations to store their data in line with compliance controls, thereby reducing any risk to the business in the event of an audit or legal discovery.
Beyond this, a data classification policy enables companies to store data in the most effective manner and utilise their storage resources in an optimal fashion. High-performance disks retain the most active data, while lower-performing disks can be leveraged for archival purposes.
Using data classification best practices, organisations can identify where their data should be sent and who should have access to it. For example, a file marked "Company confidential" shouldn't be allowed to be sent via email to external sources, while one marked "Public" should be accessible via the company intranet (but not the publicly accessed Internet).
The goal of data classification is to align data with business requirements so IT can effectively and efficiently manage it.
The biggest challenge companies face when looking to implement data classification best practices and create an effective policy, is educating users. Unless a company is well disciplined or its users have a basic understanding of the security practices surrounding data classification standards policy implementation will be a challenge. In addition, if the implementation is overly complex, uptake of the technology will be low and lead to failure. It's better to have a simple data classification policy than to fail in perfection. The devil truly is in the details.
Data classification best practices: Meeting the needs of your business
So with this in mind is the answer data classification tools, software, hardware, a procedure or a policy? It's an overall approach led by the business -- with cost, risk and service in mind -- that delivers against a set of objectives, goals and measures. Only once data classification best practices are in place are you ready to talk to vendors about which data classification tools (or components) may meet the needs of your business.
For example, nobody goes out to buy a car just to get from A to B. We go out wanting certain things from that mode of transport such as a sunroof, heated seats and so on. These are the criteria we use for making an informed decision as to which vehicle is the right one for us. The same needs to be true of a data classification policy. Words like strategy and vision are great, but you can't have a vision for a fast system or expect grandeur with limited funds. However, that doesn't mean spending a lot of money is always the right decision. You should always use a specialist to assist in the early design of your system to ensure that costs are accurate and justified by the business and not by your vendor.
About the author: Andrew McCreath is the virtualisation practice lead at GlassHouse Technologies (UK) Ltd., a global provider of IT infrastructure services. McCreath has more than 16 years of experience in infrastructure and management information systems. Prior to joining GlassHouse, McCreath managed multimillion dollar projects while employed at Accenture, Credit Suisse First Boston, Kimberly-Clark, Société Générale and EMC. He currently specialises in server virtualisation and data centre consolidation.