Define and Develop a Data Classification Program

Simplify data classification for broader visibility into your security program.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Huge volumes of data, in all different types, make data discovery a daunting task. With such backlogs of information, it can be difficult figuring out where to start classification.
  • Ad hoc classification systems may lack consistency and accountability. Which formal classification system is right for you?
  • End users are one of the weakest links in data security. Relying on end users to accurately classify and handle sensitive information requires significant awareness and training. 

Our Advice

Critical Insight

  • Avoid analysis paralysis. Classifying all your data at once may not be feasible. Start small, quantify your results, report it to management, and then go back and tackle a larger portion.
  • Data is dynamic. Data, by its nature, does not stay static. A piece of data’s criticality will peak, but strategic reassessment will eliminate over/under protection of data. Data classification must be a program, not a project.
  • Classify what matters. Focus the program on data whose classification is measurable, auditable, and manageable. 

Impact and Result

  • Formalize the data classification initiative with the proper policies and handling standards, as well as a structured steering committee to ensure accountability and consistency.
  • Understand where your data lives and what controls are implemented to protect the data. Make sure the protection is proportional to the sensitivity and criticality of the assets.
  • Understand what tools are available to implement an efficient data classification program – whether provided from a third party or done in-house. Know how and when to revisit classifications to keep them up to date. 

Contributors

  • Charles Tatosi Chavapi – Information Security Manager, Debswana Mining Industry
  • Ken Dewitt – IT Director, Navajo County
  • Jim Finlayson – IT Director, City of Grand Junction
  • Lian Guan – Enterprise Information Management Advisor, Ontario Lottery and Gaming Corporation
  • Diane Kelly – Information Security Manager, Colorado Judicial ITS
  • Leon Letto – Senior Technical Sales Engineer, AirWatch
  • Jim McGann – VP, Marketing and Business Development, Index Engines, Inc.
  • William Mendez – Information System Security Officer, City of Miami
  • Ian Parker – Head of Corporate System Information Security, Risk, and Compliance, Fujitsu Services
  • Claudiu Popa – President & CEO, Informatica Corporation
  • Doug Waram – Director of IT, County of Wellington
  • Chris Whiting – Solutions Architect, APA Group
  • 3 anonymous contributors 

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should define and develop a data classification program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

  1. Define the requirements

    Formalize your data classification steering committee, classification scheme, and documentation.

  2. Discover the data

    Perform data discovery to understand where your most sensitive data resides.

  3. Implement data classification

    Perform data classification and draw out valuable insights to drive strategic security decisions.

Guided Implementation icon Guided Implementation

This guided implementation is a six call advisory process.

    Guided Implementation #1 - Define the requirements

  • Call #1: Formalize the Data Classification Steering Committee

    Formalize data classification documentation

  • Guided Implementation #2 - Discover the data

  • Call #1: Plan for data discovery

  • Call #2: Ease the task of classification

  • Guided Implementation #3 - Implement data classification

  • Call #1: Fill in the Data Classification Inventory Tool

  • Call #2: Analyze results

  • Call #3: Maintain and optimize the program

Onsite Workshop

Module 1: Define the Requirements

The Purpose

  • Define and formalize the data classification program to fit your organization’s needs.

Key Benefits Achieved

  • A right-sized classification program with formal documentation laying the foundation

Activities: Outputs:
1.1 Assemble the Data Classification Steering Committee
  • Established Data Classification Steering Committee Members
1.2 Define the Data Classification Steering Committee Charter
  • Formalized Data Classification Steering Committee Charter
1.3 Determine the classification scheme
  • Defined data classification scheme
1.4 Develop the Data Classification Policy
  • Formalized Data Classification Policy
1.5 Develop the Data Classification Standard
  • Formalized Data Classification Standard

Module 2: Discover the Data

The Purpose

  • To effectively mitigate risk and classify data, you must know where your data resides.
 

Key Benefits Achieved

  • Initial insight into where your data resides

 

Activities: Outputs:
2.1 Develop questionnaire to conduct data discovery with key data owners
  • Questionnaire to conduct discovery interviews
2.2 Interview key departments / data owners
  • Preliminary data discovery interview results
2.3 Identify where to prioritize classification
  • Prioritization of assets to classify
2.4 Re-evaluate policy and standard
  • Finalized policy and standard documents

Module 3: Implement Data Classification

The Purpose

  • Classify the data to inform strategic security decisions.

Key Benefits Achieved

  • Development of supporting evidence regarding current state of data protection based on classification to drive future security initiatives

Activities: Outputs:
3.1 Classify data in the inventory tool
  • Data classification inventory starting point
3.2 Analyze results of the preliminary classification
  • Security and location analysis charts to share with management
3.3 Begin developing a data classification training and awareness program
  • Plans for training and awareness
3.4 Determine metrics to measure the effectiveness of the program
  • List of metrics

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now

Hide Details

Search Code: 78924
Published: October 22, 2015
Last Revised: February 17, 2016

GET HELP Contact Us
×
VL Methodology