Improve security efficiency through data classification
Monday, May 31st 2010 @ 10:44 AM (not yet rated)
Management often only starts to take an interest in security when there is an incident or a scare that could have cost the organization money – or management it’s credibility. Unfortunately, by this time, it is hard to “fix” the problem in a meaningful and lasting way. By taking a pro-active approach to Data Classification – one of the earliest steps in any security program – fixing a specific security issue becomes much easier. Here’s why…
Applying a specific security safeguard or control across the board on all types of information – as a corrective action to an incident – is often not cost effective. This reactive approach to security is what creates barriers to productivity, leading to user backlash. However, when data is organized and classified up front to reflect its importance to the organization, more granular controls can be put in place.
As a simple example, imagine that a supply room that is accessible by all staff contains everything from post-it notes to printer cartridges. Management notices that the organization is going through an inordinate supply of printer cartridges over a three month period, and suspects some staff are taking them home to use in their own printers. So, they immediately put a lock on the door and put an administrative staff member in charge of letting staff in to get their supplies. This approach might stop the employee theft problem, but will also cause a great deal of inconvenience for many, as well as a loss of productivity for the administrator.
Dividing the supplies into high and low-value categories with different storage locations would make the job of securing what needs to be secured more manageable. Only requiring administrator help for the high value supplies has less adverse impacts on everyone.
Similarly, when looking at the problem of securing data, the practice of identifying the types of data and their sensitivity up front makes it easier to apply safeguards and rules in a cost-effective way, at any time. So, if a particular incident drives management to call for a specific safeguard or control, it can be applied in an efficient and targeted way, without impacting the entire organization’s workflows.
Tools are now available for automating data classification, and they can usually be easily integrated into most office software products. As an example, Titus Labs creates a number of classification tools that integrate with Microsoft products.
| | I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
