Data classification policy
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Often, Indian organizations lack clarity in establishing confidentiality of their data. A well defined data classification exercise can address this. The thumb rule in data classification policy is to consider the company's specific nature of business and the law of the land. In the case of a company dealing in home loans, details like the customer's name, address, policy and EMI are confidential information, whereas in pharmaceutical and technology industries, intellectual property rights are the most confidential aspects.
The recent IT Amendment Act (2008) also compels corporate entities to secure customers' private data. Therefore, it becomes necessary to have a data classification policy irrespective of plans to deploy data loss protection (DLP) or document rights management (DRM). One must consult senior management while designing data classification policy, as they can provide perspective of what can make or break the organization. The exercise can form a part of information security policy which cuts across all departments.Classifying data
The foremost step before undertaking a data classification exercise is to sensitize people about the significance of confidential data, and its need to be protected. One needs to look at it from a process-based approach.
For a recent data shield project at Reliance Capital, we undertook a data flow analysis. We studied the documented processes of each department. This analysis helped us to identify aspects such as who generates the data, its location, where it was passed, what is the use of that information, and the impact if it is lost.
Output of this activity could be that you will classify data as confidential, sensitive, private, public, etc. Then security controls can be put around the sensitive data to define people's roles, responsibilities and access rights. Information can then be made available on a need to know basis.
Data classification can also be integrated with the knowledge repository of the organization; it can be a knowledge management portal consisting of document process or excel sheets or proprietary tools.Role of CISO in data classification process
The chief information security officer (CISO) plays a critical role in data classification exercises. A herculean task, it calls for excellent project management skills. The CISO will need to convince senior management, get budget approvals, collect buy-in of all the departmental heads as well as employees, coordinate the entire exercise, and simultaneously ensure that projects run on schedule.
It is also a give and take exercise. If you need HODs or business heads to participate in such initiatives, they need to be explained the benefits they can accrue from this. For instance, in our data flow review we often identified gaps in existing process, found ways to make the process more efficient or reduce cost.
When talking about data classification exercises, there is the time and cost factor. This can vary with the size of your organization. Another thing that can help is taking third-party expert services. You can avail of time bound and fixed cost agreements with vendors instead of paying them per process or resource.
Instead of training and managing in-house resources specifically for a data classification exercise, it makes sense to hire a specialist. Although the framework is provided by the organization, a vendor is expected to bring his knowledge, experience and efficiency. There have also been talks of automating the entire process of data classification. However, it is at a nascent stage.
DLP and DRM implementation can actually be infused in the process of data classification. After classifying and identifying confidential data, data can be immediately controlled with access rights through DRM solutions and can also be protected from going out though fingerprinting techniques of DLP solutions.
Organizations keep on generating data. Hence the data classification process should be revisited every quarter or six months to incorporate additions.About the author: Faraz Ahmad is the CISO of Reliance Life Insurance, and has played a key role in designing and driving the data classification exercise at group company Reliance Capital.
(As told to Dhwani Pandya.)