Data Classification Standards and IT Operations

Mike Porter
| 3/20/2017

Many organizations are embracing a datacentric approach to cybersecurity risk management. Using data to quantify cybersecurity risk helps make security tangible to end users, aids in regulatory reporting, and narrows the focus of risk management to the most critical concerns. The logical starting point for most organizations is to identify the types of data available and then classify it. But too often, that’s where the process ends – a written policy sitting on a shelf, collecting dust. So what should organizations that want to take action do next?

First and foremost, organizations must incorporate data classification standards into IT operations so that those standards can be ingrained in risk management and cybersecurity controls – resulting in better alignment with business needs.

To illustrate this point, let’s take a look at an organization with years of experience implementing data classification standards: the federal government. Long before the proliferation of digital communication, the federal government went to great lengths to manage sensitive data. Different ways in which it protected data included:

  • Procedures to vet and approve those seeking access to classified information
  • Variable physical security controls at locations based on the type of data stored there
  • Documents stamped with classification notations
  • Dual controls at key processing points
  • Requirements for shipping classified materials (particularly through U.S. postal services)
  • Destruction procedures to render classified information unrecoverable
  • Threat of sanctions (including charges of treason) to compel compliance

The federal government’s use of data classification to manage security is a good example of how to use data to make decisions about daily operations. You might notice these principles in your day-to-day work with modern information systems.

The question then becomes “How can organizations use data classification standards in their IT operations to make decisions about daily operations?” As with most cybersecurity issues, the devil is in the details. The following questions might help guide productive discussions about data classification standards in different parts of your organization and pave the way for using the standards in the cybersecurity risk management decision-making process.

Employee Management

  • Have specific individuals been assigned responsibility for management and security of classified data?
  • Are classification standards part of the security training for all employees?
  • Are the standards coherent and easily used at all levels in the organization?

Account Management

  • Who approves access to classified data?
  • How are employees with access to the most critical data vetted?
  • Are classification schemes built into Microsoft® Active Directory® groups or user flags?

Risk Tracking

  • Are identified risks tagged and prioritized based on relevant data?
  • Is the scope of risk assessments based on classification standards and focused on the most sensitive data?

Configuration Management

  • Are end points with permissions to classified data noted as such within the configuration management database?
  • Are end points and servers subject to variations in hardening (that is, additional security controls) commensurate with their level of access?

Monitoring Controls

  • Are alerts tuned to identify activities related to classified data?
  • Are data loss prevention tools aligned with classification standards?
  • Are procedures defined for incidents involving specific data types?

Third-Party Management

  • What types of data do third parties have access to or store on their networks?
  • Should third-party access change the frequency and depth of evaluation or contractual obligations?

If you’re the lucky person responsible for classifying your organization’s data, maybe it’s time to take a step back and assess if and how classification standards are used throughout the organization. Do your strategic goals of using data classification standards align with the tactical use of such standards in your IT operations?

Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.