Risk
6/21/2013
12:16 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Data Classification Can Boost Risk Management

The trouble is that organizations must execute on classification and retention policies to gain benefits

The effectiveness of data classification and retention policies can have strong ripple effects across an organization's entire IT risk management framework. After all, how data is classified can determine what risk management priorities are placed on it, and the less data that is retained long-term, the less volume the organization has to sift through to determine appropriate protection levels.

"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed, or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."

Survey data released this week by IT risk management consultancy Protiviti suggests that many IT leaders at large organizations do understand the implicit importance of solid data classification and retention practices. Among a pool of more than 200 IT decision makers, 72 percent reported that they have a data classification policy in place to categorize their organizations' information. But at the same time, these same organizations are having a hard time making good on those policies because the practices necessary to execute on written policies still lag. Approximately 63 percent reported having an actual data classification scheme in place. And far fewer organizations -- only about 19 percent -- reported that they have a detailed classification system to define data that determines how they retain or destroy it at specific dates.

[How have attackers managed to 'break' AV with a glut of malware? See 10 Ways Attackers Automate Malware Production.]

"I think it is really hard to move from policy to action," says Charly Paelinck, senior vice president and CTO for Caesars Entertainment, of this disparity in the classification and retention world. "We've been building our policies, we've bought some tools, including DLP [and] archiving tools. But, first of all, discovering where all the different things are and then getting agreement to get rid of data has been pretty challenging for a large corporation like ours that's distributed."

As difficult as it can be, organizations that want to improve their risk management decision making should remain cognizant of how important classification is to the process of planning for better security on a budget.

"This ability to use data classification to stratify how you apply security to different types of data is not just a great thing from a security perspective, but also from an economical one," says Cal Slemp, managing director for Protiviti.

One of the difficulties that many IT organizations are running into as they try to put their classification policies into action is that they are doing so in isolation. If classifications are what risk management decisions will be built on, then line-of-business participation should be mandatory, says Paul Borchardt, vice president of client success for risk management vendor Vigilant, who explains that data owners should review and approve assigned classification levels with the understanding of what that will mean for how that data will be controlled.

"Approval should also be sought from legal, compliance, and risk management teams," Borchardt says. "Some regulations require board approval of data classification results and include this step as part of an annual recertification during the Information Security Steering Committee."

This is why it is crucial that classification be elevated in the eyes of senior management. According to Paelinck, many organizations, like his, face a similar struggle with leadership that they did back in the early days of disaster recovery.

"There's a parallel to the struggle that a lot of IT organizations went through with disaster recovery, [which is] if you can't get a definitive statement from senior management on what is critical with disaster recovery, IT is left in the position of creating a backup plan that is much more expensive than it needs to be," he says. "I think we have the same issue with sensitive data. If we don't clearly define what is sensitive and what is not, IT is left in the position of trying to guard everything."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.