Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/21/2013
12:16 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Data Classification Can Boost Risk Management

The trouble is that organizations must execute on classification and retention policies to gain benefits

The effectiveness of data classification and retention policies can have strong ripple effects across an organization's entire IT risk management framework. After all, how data is classified can determine what risk management priorities are placed on it, and the less data that is retained long-term, the less volume the organization has to sift through to determine appropriate protection levels.

"Risk management practices should be based on data or system classification. System classification is simply the 'high water mark' of data stored, processed, or transmitted on the system," says Doug Landoll, CEO of Assero Security. "The required security controls for a system are based on the system classification. Risk management, as one of those controls, would be based on this as well."

Survey data released this week by IT risk management consultancy Protiviti suggests that many IT leaders at large organizations do understand the implicit importance of solid data classification and retention practices. Among a pool of more than 200 IT decision makers, 72 percent reported that they have a data classification policy in place to categorize their organizations' information. But at the same time, these same organizations are having a hard time making good on those policies because the practices necessary to execute on written policies still lag. Approximately 63 percent reported having an actual data classification scheme in place. And far fewer organizations -- only about 19 percent -- reported that they have a detailed classification system to define data that determines how they retain or destroy it at specific dates.

[How have attackers managed to 'break' AV with a glut of malware? See 10 Ways Attackers Automate Malware Production.]

"I think it is really hard to move from policy to action," says Charly Paelinck, senior vice president and CTO for Caesars Entertainment, of this disparity in the classification and retention world. "We've been building our policies, we've bought some tools, including DLP [and] archiving tools. But, first of all, discovering where all the different things are and then getting agreement to get rid of data has been pretty challenging for a large corporation like ours that's distributed."

As difficult as it can be, organizations that want to improve their risk management decision making should remain cognizant of how important classification is to the process of planning for better security on a budget.

"This ability to use data classification to stratify how you apply security to different types of data is not just a great thing from a security perspective, but also from an economical one," says Cal Slemp, managing director for Protiviti.

One of the difficulties that many IT organizations are running into as they try to put their classification policies into action is that they are doing so in isolation. If classifications are what risk management decisions will be built on, then line-of-business participation should be mandatory, says Paul Borchardt, vice president of client success for risk management vendor Vigilant, who explains that data owners should review and approve assigned classification levels with the understanding of what that will mean for how that data will be controlled.

"Approval should also be sought from legal, compliance, and risk management teams," Borchardt says. "Some regulations require board approval of data classification results and include this step as part of an annual recertification during the Information Security Steering Committee."

This is why it is crucial that classification be elevated in the eyes of senior management. According to Paelinck, many organizations, like his, face a similar struggle with leadership that they did back in the early days of disaster recovery.

"There's a parallel to the struggle that a lot of IT organizations went through with disaster recovery, [which is] if you can't get a definitive statement from senior management on what is critical with disaster recovery, IT is left in the position of creating a backup plan that is much more expensive than it needs to be," he says. "I think we have the same issue with sensitive data. If we don't clearly define what is sensitive and what is not, IT is left in the position of trying to guard everything."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12162
PUBLISHED: 2019-07-23
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
CVE-2018-18669
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2019-10101
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
CVE-2019-9815
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
CVE-2019-9816
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...