You are on page 1of 5

Trustworthy Computing

CISO Perspectives: Data Classification January 2014

CISO Perspectives
CISO Perspectives provides insight into some of the key questions facing information security professionals today. These articles are based on interviews and discussions with chief information security officers (CISOs) and information security and risk specialists from Microsoft and the industry. A key challenge for organizations is implementing an effective data classification process. Data classification can help organizations apply the right level of control for maintaining the confidentiality and integrity of their data. It can deliver significant benefits including improved ways to manage the organizations resources, compliance efficiencies and can facilitate migration to the cloud. This article will discuss some of the key challenges, success factors, and potential solutions regarding data classification.

Data classification
Todays workplace requires employees of all organizations to create and manage data on a daily basis. Organizations need to find ways to categorize this data in ways that make sense for their business and organizational requirements. Organizations across most industries are required by industry or governmental regulations to show how they handle and protect customer information in a secure way. Enterprises in the financial industry face numerous compliance requirements to ensure that they not only protect their customers information, but that they are not compromising the integrity of the financial systems in which they participate.

CISO Perspectives: Data Classification | 1

Additionally, all organizations may have strategic business information that they want to protect from competitors. For this article we interviewed several information security and risk specialists to discuss data classification in the information security landscape, and the considerations and challenges they face in designing and implementing data classification projects. What is data classification? In todays rapidly changing information security environment, organizations must understand what data classification is and what it enables so that they can appropriately and efficiently protect sensitive data. Without classifying or categorizing data, organizations typically treat all data the same way, which rarely reflects the true differences in value among data sets in the organization. Data classification is a powerful tool that can help determine what data is appropriate to store and/or process in different computing architectures, like the cloud or on premises. Without performing data classification, organizations might under-estimate or over-estimate the value of data sets, resulting in inaccurate risk assessments and potentially mismanaging the associated risk. The experts we interviewed agreed that data classification is the process used to determine the value to their organizations of specific pieces of electronic information, be they e-mail messages, documents, or databases. Data classification is a process an organization uses to determine which information is more important or more sensitive. Pierre Noel, Chief Security Officer & Advisor Asia, Microsoft. Data across our organization has varying value. The value of the data serves as a guide [on how] to protect it. Data classification lets us determine the value of that data, whether an email, a document, or a database. John Meakin, Chief Information Security Officer, Royal Bank of Scotland (RBS) Markets. In addition to agreeing on what data classification is, our experts agreed on the importance of data classification in designing and implementing data retention, destruction, and protection solutions. Categories and processes There was also agreement among our experts about the most important things for ensuring the success of an organizations data classification project: Have as few data classification levels as possible. Three is generally considered the minimum number of levels to allow for confidential (or restricted), internal use (sensitive), and public use (unrestricted).

2|CISO Perspectives: Data Classification

Provide a training program for employees and partners to help them understand what is required of them when they create and use data, and provide tools to help them manage the data they own.

For example, Microsoft has three levels of data classification, low business impact, medium business impact, and high business impact. The company decided on these labels because they made business sense across the entire enterprise, and were easy to understand. Dell and RBS have similar schemes, but they have four data levels, rather than three. All of our interviewees said they used tools to make it as easy as possible for their employees to classify data appropriately. Dell uses a third party data classification solutions to help employees classify structured data such as email messages, documents, and other files users create on their computers or access from document repositories. Microsoft uses its software suite to automatically label data as appropriate, and also reminds employees of the importance of applying data classification throughout the process of creating and storing data. To ensure that employees understand the data classification levels and how to apply them using the available tools, the CISOs we spoke to outlined the data classification training programs that their organizations have in place. As a new hire coming on board with Dell, [employees are] required to sign up for a set of classes. Some of these classes have to do with our information security policies themselves, and we have the data classification standards as part of those. Timothy Youngblood, Chief Information Security Officer, Dell Corporation. Both RBS and Microsoft require employees to take classes each year on the data classification standards and procedures they are required to follow when they create documents and email messages. When data is inadvertently or intentionally exposed to people who should not have access to that class of data, all of the organizations have processes in place to destroy or restore data. Banks in particular have stringent requirements to report unplanned disclosures of sensitive data to their various regulators. Challenges for Data Classification Projects Working with a number of governmental and business organizations in Asia, Pierre also emphasized the challenge of making sure that the data classification levels map to business objectives. While an organization may borrow ideas and principles from another organizations data classification efforts, it is important that they customize the process to fit their own needs.

CISO Perspectives: Data Classification | 3

At Dell the challenge was to settle on the simplified data classification process that they use. There were dozens of iterations of the classification model [process], some with three categories [or level], and some with five. If we went with three or five we would have to change the architecture of how we store data. Timothy Youngblood. John Meakin shared an experience from a previous company he worked with that highlights the need to carefully consider not only the scheme and tools, but how users work with data in an organization. Applying data labels by default that do not match up with how users actually use data can cause extensive rework after a solution has been launched. "Even trying to do the best thing for the right reasons and achieving the right balance between usability and proper classification can get you into deep water if you don't carefully consider how users are actually using the information. John Meakin Resources There are a number of resources recommended by our interviewees. Here is a short list of resources to investigate whether you are planning, implementing, or updating your enterprise data classification program: Information Security Forum https://www.securityforum.org/ Information Risk Executive Council https://www.irec.executiveboard.com/Public/Default.aspx Research for security and risk professionals from Forrester Research Group http://www.forrester.com/Security-%26-Risk The Computer Security Resource Center at the National Institute of Standards and Technology http://csrc.nist.gov/publications/PubsSPs.html The Security Risk Management Guide on Microsoft for a technology-agnostic solution that provides a four-phased approach to risk management http://technet.microsoft.com/en-us/library/cc163143.aspx Data classification for cloud readiness http://download.microsoft.com/download/0/A/3/0A3BE969-85C5-4DD2-83B6366AA71D1FE3/Data-Classification-for-Cloud-Readiness.pdf Key Advice Each of the experts we spoke with offered unique advice. Both Pierre and Timothy mentioned the importance of assigning appropriate team ownership to an organizations data classification project who have the appropriate authority, and will drive the required processes The team should be able to communicate not only with IT security personnel, but executives from the business side of the organization who have a strong understanding of compliance

4|CISO Perspectives: Data Classification

requirements for their business. Stakeholders from across the organization must be aware of the program for it to have success throughout the organization. Timothy Youngblood told us that the data classification for Dell was internally developed at the executive level. The leadership team wanted this program in place and so we worked to pull all the stakeholders together to do it. John Meakin suggested organizations fully invest in a data classification education program for their employees before they invest in data classification solutions. Above all, each person we spoke with re-emphasized the importance of keeping the data classification levels simple. A mistake many organizations make is to go from no data classification at all to a very complex solution. This is a recipe for failure. Pierre Noel. John Meakin agreed, saying Creating a data classification program is not easy.You reap a lot of benefits by making the scheme itself as simple as possible and easy for your users to work with.

For more CISO Perspectives, visit http://aka.ms/cisoperspectives

Trustworthy Computing Next 2014Microsoft Corp. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Licensed under Creative Commons Attribution-Non Commercial-Share Alike 3.0 Unported

CISO Perspectives: Data Classification | 5

You might also like