Risk
6/21/2013
00:16 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Data Classification Can Boost Risk Management

The trouble is that organizations must execute on classification and retention policies to gain benefits

The effectiveness of data classification and retention policies can have strong ripple effects across an organization's entire IT risk management framework. After all, how data is classified can determine what risk management priorities are placed on it, and the less data that is retained long-term, the less volume the organization has to sift through to determine appropriate protection levels.

"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed, or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."

Survey data released this week by IT risk management consultancy Protiviti suggests that many IT leaders at large organizations do understand the implicit importance of solid data classification and retention practices. Among a pool of more than 200 IT decision makers, 72 percent reported that they have a data classification policy in place to categorize their organizations' information. But at the same time, these same organizations are having a hard time making good on those policies because the practices necessary to execute on written policies still lag. Approximately 63 percent reported having an actual data classification scheme in place. And far fewer organizations -- only about 19 percent -- reported that they have a detailed classification system to define data that determines how they retain or destroy it at specific dates.

[How have attackers managed to 'break' AV with a glut of malware? See 10 Ways Attackers Automate Malware Production.]

"I think it is really hard to move from policy to action," says Charly Paelinck, senior vice president and CTO for Caesars Entertainment, of this disparity in the classification and retention world. "We've been building our policies, we've bought some tools, including DLP [and] archiving tools. But, first of all, discovering where all the different things are and then getting agreement to get rid of data has been pretty challenging for a large corporation like ours that's distributed."

As difficult as it can be, organizations that want to improve their risk management decision making should remain cognizant of how important classification is to the process of planning for better security on a budget.

"This ability to use data classification to stratify how you apply security to different types of data is not just a great thing from a security perspective, but also from an economical one," says Cal Slemp, managing director for Protiviti.

One of the difficulties that many IT organizations are running into as they try to put their classification policies into action is that they are doing so in isolation. If classifications are what risk management decisions will be built on, then line-of-business participation should be mandatory, says Paul Borchardt, vice president of client success for risk management vendor Vigilant, who explains that data owners should review and approve assigned classification levels with the understanding of what that will mean for how that data will be controlled.

"Approval should also be sought from legal, compliance, and risk management teams," Borchardt says. "Some regulations require board approval of data classification results and include this step as part of an annual recertification during the Information Security Steering Committee."

This is why it is crucial that classification be elevated in the eyes of senior management. According to Paelinck, many organizations, like his, face a similar struggle with leadership that they did back in the early days of disaster recovery.

"There's a parallel to the struggle that a lot of IT organizations went through with disaster recovery, [which is] if you can't get a definitive statement from senior management on what is critical with disaster recovery, IT is left in the position of creating a backup plan that is much more expensive than it needs to be," he says. "I think we have the same issue with sensitive data. If we don't clearly define what is sensitive and what is not, IT is left in the position of trying to guard everything."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio