Data Classification

Data Classification has been around for many years. As companies increasingly open their information networks to external collaborators, move to collaborative environments like SharePoint, and face increased legal exposure, Data Classification is increasingly being deployed as an effective means to help address risks and enable compliance.

Quite often when the subject of Data Classification comes up, what comes to mind to most practitioners in information management is “You must classify all your information so that each piece of data that you use in the company is labeled – (e.g. Red, Yellow, Green) based upon the sensitivity of the data.” This of course feels like an overwhelming amount of effort and Data Classification falters due to fear of failure or because it becomes too difficult to gain approval for the business case.

In most cases, this isn’t how Data Classification is implemented and often it isn’t how an organization gains the most benefit to Data Classification. I believe that one of the greatest business benefits of having Data Classification implemented are realized when organization understands and focuses on Data Classification at a strategic level. By strategic level, I mean at the Policy, People, and Governance level vs. the technology/tool level.

 

Benefits of Implementing Data Classification at a strategic level:

• The ability to make more effective management decisions on the level of controls necessary for data protection. Having a Data Classification program in place that includes the appropriate levels of controls for the various classification levels, helps leadership make more effective investment decisions to meet internal and external control expectations.

• The ability for the rationalization of controls by mapping control requirements to grouped “classes” of information vs. data element by data element.

• The ability to use Data Classification as commonly accepted guidance across the enterprise for the controls that should be implemented to protect data, thus aligning resources and energy of the organization.

• It can be used to reduce efforts and costs associated with controls of less sensitive data. Often when Data Classification is developed, organizations come to the realization that they are not only under controlling their most sensitive data, but they are wasting money and resources OVER controlling less sensitive data.

• Strategic Benefit for Data Classification, is the Socialization of Data Governance concepts with the business enterprise.

Socialization of Data Governance? If embarked upon from a truly enterprise and cross-functional perspective, Data Classification is also a great way to socialize data governance with senior leadership because the process and experience of defining the data classes and their expected controls is Data Governance. Once this socialization process begins to gain traction, then organizations begin to realize a number of other strategic benefits. These can range from: stronger business sponsorship on specific IT investments to protect the information, better risk based decisions made by the organization, stronger ties of security requirements to business objectives, as well as decreased legal risks by being able to demonstrate due diligence through active leadership engagement in data governance.

Ironically, it is actually when these strategic benefits begin to be realized, that organizations can more effectively drive data classification into processes, procedures, and deploy technology solutions. I say ironically, because most organization jump to finding a tool to classify data and then they find that once implemented, the organization resists adoption and data classification fails. The resistance occurs because of lack of understanding, alignment, and buy-in to the need across the business. Then organizations find themselves right back where they should have started – focusing on Data Classification at a strategic level or unfortunately altogether abandoning Data Classification.

Source: wmarkbrooks.com