Data classification blues

Written on January 14, 2007 by faparicio in Riesgos y Tecnología

Although it is one of the pillars of any information security program, most organizations lack the existence of a data classification scheme. This consists in assigning both a level of sensivity and an owner to each document, memo, report, letter, etc of the organization. The main advantage is not only to provide the most critical information of the company with the strongest controls (another practical application of risk analysis) but also defining the security clearance of individual or groups authorized to access the classified information.
Once again, this definition implies management involvement and leadership (so that the CISO efforts don’t go wasted) not to treat all information just the same. We cannot apply the same security measures to every piece of information, which would lead to innecessary restrictions and loss of information security personnel efficiency.
Several methodologies provide the organizations with guidelines to classify information (e.g, Magerit, in Spain), although common sense is enough to single out a few points (secret, confidential, public, etc) to establish a simple data classification set of criteria.
In practice, the development of this shemes faces quite a few challenges: the end user has to be awared of and trained about data classification; if most users are ignorant of basic information security rules, any effort to implement this scheme, all the more since it is an ongoing process, will be a waste of time and money. The employees need to know how and when to classify the information, so that the simplest the data classification scheme is, the better.
Another major factor is the cost: the definition, implementation and training expenses will likely to join the acquisition of a software tool to grant restricted access depending of the sensitivity levels (e.g, DRM tools). As it usually goes with information security, it is not easy for management to justify these efforts as a necessary part of doing business, when they do not directly lead to revenue generation.
Therefore, when will a data classification will be in the pipeline? Most probably the moment it becomes a regulatory compliance issue: in US, healthcare and financial firms are already required by law to classify data. To say, another junction between management commitment, technology and law.


No comments yet.

Leave a Comment


We use both our own and third-party cookies to enhance our services and to offer you the content that most suits your preferences by analysing your browsing habits. Your continued use of the site means that you accept these cookies. You may change your settings and obtain more information here. Accept