Classification of data within an organization is fundamental to protecting data as well applying rights on which users inside an organization can access that data. Classification of data also justifies the levels of security protection that need to be spent to protect an organizations data and to ensure its continuity for business. Hence, classification of data is not just meant to apply confidentiality and restrictive access to data, but also to preserve its availability and integrity for an organization.

A data classification journey is one of the most significant exercises an organization can initiate, helping it to link investments into IT security practices and business interests.

It is possible to have a number of different approaches towards building data classification schemes within an organization. However, the most logical one is where there is direct association between the data being generated and its supporting business process. This allows security attributes of data to flow from business to security, than the other way round.

A typical data governance framework successfully blends the requirements of a business along with the expectations and rigors of its security policy requirements. Such a framework distinguishes itself from others by linking the levels of security control directly to the sensitivity and criticality of data in context of the organization.

The framework helps to establish and deliver the following:

• Basis of the organizational data classification; Why is this important?

• Guidance on classifying data; How do we Classify Data?

• Developing organization culture towards classification; Who should be involved?

A key requirement in an organization’s data classification journey is to develop acceptance, ownership and appreciation among its end users of the benefits that it can provide for the organization as a whole. Ensuring that every aspect of the data generation process is included within the data classification process through end-user buy-in, therefore remains a fundamental challenge.

The change management process around data-classification is usually a top-down approach. This includes the top management, key stakeholders, and the custodians of the data generation processes, typically business managers of various levels. The change management process involves a number of pan-organization wide structured workshops. This helps end-users navigate the data classification journey, through the various stages of awareness and sensitization; application of the various policies, guides and labelling techniques; and finally, ownership of the positive gains and self-initiation.

Most organizations tend to adopt a specific approach while initiating their data classification journey. This is usually initiated by a comprehensive business analysis around the impact of data loss and integrity for an organization. Questionnaires and interviews of business owners help establish the extent to which loss or compromise of a business process and its structured and unstructured data can affect the ability of an organization to function.

Identifying the most critical business processes logically brings into the spotlight its supporting critical IT infrastructure and the associated critical data attributes

The analysis of data allows organizations to build data maps depicting the sensitivity and scope of use of data organization wide. Another offshoot is the ability to generate key words and context linked to critical data to control data leakage, vastly raising existing integrity levels and successfully implementing data security policies. Knowing where and how your crown jewels are protected helps Information Security teams plan further modifications/selection of appropriate tools in their data classification journey.

Such an organization-wide exercise helps raise awareness amongst business owners as well encourages their buy-in into the program. If successful, they begin to apply the techniques of data labelling and classification into their day to day operations. And herein lies the true litmus test of the change management program.

By focusing on end-user sensitization and buy-in, there are more chances of it being intuitive and appropriate to the specific business process. This will finally help in successfully preventing loss and leakage of data.