"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed, or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."
Survey data released this week by IT risk management consultancy Protiviti suggests that many IT leaders at large organizations do understand the implicit importance of solid data classification and retention practices. Among a pool of more than 200 IT decision makers, 72 percent reported that they have a data classification policy in place to categorize their organizations' information. But at the same time, these same organizations are having a hard time making good on those policies because the practices necessary to execute on written policies still lag. Approximately 63 percent reported having an actual data classification scheme in place. And far fewer organizations -- only about 19 percent -- reported that they have a detailed classification system to define data that determines how they retain or destroy it at specific dates.
[How have attackers managed to 'break' AV with a glut of malware? See 10 Ways Attackers Automate Malware Production.]
"I think it is really hard to move from policy to action," says Charly Paelinck, senior vice president and CTO for Caesars Entertainment, of this disparity in the classification and retention world. "We've been building our policies, we've bought some tools, including DLP [and] archiving tools. But, first of all, discovering where all the different things are and then getting agreement to get rid of data has been pretty challenging for a large corporation like ours that's distributed."
As difficult as it can be, organizations that want to improve their risk management decision making should remain cognizant of how important classification is to the process of planning for better security on a budget.
"This ability to use data classification to stratify how you apply security to different types of data is not just a great thing from a security perspective, but also from an economical one," says Cal Slemp, managing director for Protiviti.
One of the difficulties that many IT organizations are running into as they try to put their classification policies into action is that they are doing so in isolation. If classifications are what risk management decisions will be built on, then line-of-business participation should be mandatory, says Paul Borchardt, vice president of client success for risk management vendor Vigilant, who explains that data owners should review and approve assigned classification levels with the understanding of what that will mean for how that data will be controlled.
"Approval should also be sought from legal, compliance, and risk management teams," Borchardt says. "Some regulations require board approval of data classification results and include this step as part of an annual recertification during the Information Security Steering Committee."
This is why it is crucial that classification be elevated in the eyes of senior management. According to Paelinck, many organizations, like his, face a similar struggle with leadership that they did back in the early days of disaster recovery.
"There's a parallel to the struggle that a lot of IT organizations went through with disaster recovery, [which is] if you can't get a definitive statement from senior management on what is critical with disaster recovery, IT is left in the position of creating a backup plan that is much more expensive than it needs to be," he says. "I think we have the same issue with sensitive data. If we don't clearly define what is sensitive and what is not, IT is left in the position of trying to guard everything."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.