There are several routes to Regulatory Compliance, but the journey has to include Data Classification. At the heart of becoming compliant, is an effective Data Security Strategy – which in the perfect world would keep our information assets safe from unauthorized access (aka Hackers and Data Thieves). Regardless of the compliance requirement: HIPAA, ITAR, EAR, PCI, SOX, etc, a Data Security Strategy begins with Data Classification.
In order to properly secure and Protect Data you must first understand the 5 Ws:
Who needs access to this data?
What type of Data exists in your enterprise?
Where the sensitive Data resides?
When does it need to be made available?
Why does it need to be protected – (business driver – Compliance, IP Protection, Customer Retention, etc.).
Data Classification is a comprehensive process that entails identifying “Compliance-Sensitive Data“, followed by consolidating the data in a way that makes it easier to safeguard. Data Classification can then facilitate the protection of sensitive information with subsequent Data Security measures like encryption and data leakage prevention, to mention the top two.
So, how do we accomplish a Data Classification project? – We usually scan the environment (data discovery) for key words, phrases, and content that the business unit deems confidential and at risk. This information is then initially identified and consolidated. It’s a lot easier to safeguard assets in 1-5 locations, rather than if they were spread out all across the network.
· Once the data is consolidated, appropriate protection and data security measures can be applied to the data or the devices it resides on.
Have you undergone a Data Classification exercise? Does your data protection strategy help or hinder compliance? Is it time to undergo a refresher?