The COVID-19 era has impacted how many organizations used to work and highlighted the importance of better security governance and protection of data which is at risk and potentially a target of insider malicious behaviour or aggressive cybercriminals.
While all organizations and individuals should adhere to the confidentiality, integrity and availability (CIA) triad and its principles, every security control and vulnerability should be reviewed considering one or more of the key concepts from this model. Every organization has different business goals so the data classification should be performed keeping in mind the business requirements. As an analogy, for a financial organization, the integrity could be their priority and then another piece of CIA such as Confidentiality, availability. Similarly, for a retail customer, availability of their data comes first and then another piece of CIA such as confidentiality, integrity etc.
At Zensar, we believe that one of the most critical aspects of data protection is proper data classification. If you know what and where your sensitive data is, you would be able to protect it judiciously and save your organization from possible compliance breaches and hefty penalties. Recently we have seen the GDPR compliance violation at H&M with hefty fines resulting from illegal employee surveillance, which may have been avoided if they had followed privacy compliance guidelines and labelled the data within data classification schemes.
What is Data Classification?
Data classification is the process of analyzing the structured and unstructured data and categorizing it into a format based on the file, type, content, and metadata; and applying a label based on the sensitivity of data. The first and foremost step in data classification is identifying the data stored, and then performing the risk assessment to meet the ever-changing compliance requirements to safeguard the business interest and to protect brand reputation, prevent breaches, etc.
Data Classification Schemes
Generally, the organization uses 4 level or 5 level data classification schemes and labels them with the following schemes:
Data classification can define what needs to be protected and how. While you may start with a small or mission-critical environment and then further roll it down to another business unit as per the defined classification scheme. The classification must include the types of data and associated security risk such as how the data is transferred, access, stored, archived; and the potential risk associated with a policy violation or breach of compliance.
Types of Data Classification
Data classification broadly includes tags and schemes as well as the CIA triad, and is often classified into three types:
- Content-based classification detects content and data by looking for matches on specific keywords, regular expressions, patterns, and fingerprinting/indexing structured data sources such as sensitive data or information.
- Context-based classification looks for indicators of compromise (IOC) such as location, IP, geo, time, etc.
- User-based classification requires human intervention to classify and label sensitive files before it disseminates.
Best Practices to Classify the Data
There are many automated tools available through which data discovery can be achieved, but most importantly your organization should first determine the classification scheme and criteria. At Zensar, we follow the mature and proven framework to classification, declassification and protection of sensitive data. Below are a few steps highlighted from our comprehensive Zensar DLP Governance framework:
- Understand the business: The starting point is to understand the business goals and assess the risk and compliance requirements that pertain to your organization. Then prioritize the ranking of risks and a list of initiatives to mitigate the risk.
- Develop a data classification program: To meet the dynamic business needs, it is sometimes difficult to meet the compliance needs. Therefore, a robust data classification program needs to be established which can classify the data according to its value and risk. Zensar has developed a mature and proven comprehensive framework in our Zensar DLP Governance by adhering to NIST, CERT, SOX, PII, HIPAA, PCI and various other regulatory requirements. The program is an amalgamation of people, process and technology which will continuously discover new data elements, shadow IT, structured and unstructured data, and find sensitive data in areas you generally don’t expect it to be. It will identify the broken process, data drift, bad actors, and declassify the data. With that information in hand, Zensar would recommend implementing the adequate amount of DLP tools to protect data-at-rest, data-in-motion and data-in-use across the IT estate to provide holistic data security.
- Monitor and Response: Data classification is incomplete without proper incident life cycle management which tells if any incident occurred and how this will be responded to for containing, mitigating and performing the root cause analysis, etc. Zensar has a fully managed SIEM and SOAR capability which will collect the logs and events from your DLP solutions and correlate them with external threat intelligence feeds to provide contextual and actionable alerts through a single pane of glass. This will allow our SOC team to effectively detect and remediate attacks of all types by providing visibility of the risk profile and compliance status, as well as prioritizing incidents that pose the biggest threat to data.
All in all, the user is the weakest element in the whole security chain but at the same, they are a critical line of defence. That is why Zensar recommends developing a tailor-made user security awareness program and training program for data owners.
To make the Data Loss Prevention (DLP) plan successful, Zensar recommends leveraging its mature and comprehensive DLP Governance framework that entails the complete data life cycle program.