Data is everywhere within the organization, but few people know the significance of their data to the business. In this post, I discuss strategies for performing data classification. What makes data classification complex is the sheer number of items that need classification. Overall, the classification process should be outsourced to the document owners, this is the best approach and a strategy needs to be identified early. The information security team’s role here is to identify the data repository’s data classification capability. Not all repositories have an easy and intuitive classification method. Let’s take a look at some possible approaches.
Identify current state
Data classification is a process by which information security and legal teams identify critical and sensitive organizational data. In order to succeed in this endeavor, you’ll need to bite off small chunks and, work with patience and determination. If you’re late to the game, start by identifying your repositories built-in capability to classify data. Investigate whether you’re able to simply turn on the feature within the application. It might be offered in an enhanced version of the product that requires additional licensing or costs however data classification is important and the additional cost will be well worth it.
A data classification guide should be provided to all document owners. The classification guide should be simple to follow and understand. A typical classification system includes 3 classification levels including sensitive, secret, and unclassified, however, additional classification types might be useful depending on your specific business needs. To begin with, classify your data directly in the document. This classification should be searchable and readable by search and regular expression engines. This allows for a DLP solution to search the document to identify its classification level.
Fill in the gaps
Enterprise document storage solutions should have robust scripting and plugin capabilities. In-house development can help create data-classification add-ons and plugins for any document management solution that does not provide such capability. Some collaboration suites include a marketplace that readily offers such extras, however, investigate the add-on for security issues before implementing.
Crowdsource your classification efforts
Off-course, this isn’t always possible and in that case, setting up a meeting with the document owners and walking them through the importance of the data classification program will be required. Users are more willing to participate in mundane yet important tasks if the process is more engaging and rewarding. Identify ways in which you could gamify the process and provide rewards, provide a leaderboard and acknowledge those at the top during company meetings. Data classification is a critical process, therefore, participation should be part of everyone’s job responsibilities. Executive leadership needs to buy in and ensure that data classification is an essential part of everyone’s routine and not a burden on employee workload.