Informed CIO: Data Classification

Aug 01, 2009


Out of Sorts: 10 Steps to Effective Data Classification

Every day, businesses—and households, for that matter—classify information using intuitive, informal criteria. Sensitive documents, like passports and Social Security cards, are typically tucked away in a secure spot. We organize and track bills and payment records because the better we understand what we owe and what is owed to us, the better we can meet our obligations and increase future earnings and stability. In the context of enterprise risk and security management, classification is the process of categorizing data based on its sensitivity, so it can be properly handled from creation to disposal. HR and personnel records, for example, are generally stored in one location and managed as sensitive data, even if they’re not specifically classified as such.

If your company has yet to codify an information classification system, waiting until a few additional terabytes of data pile up will just make it that much more difficult to overcome inertia. If you’re subject to regulations such as SOX or PCI, auditors won’t wait. Still, to have any chance of success, the business benefits and compliance drivers for classification must outweigh costs, impact on productivity and cultural resistance. Fortunately—or unfortunately, depending on your perspective—CIOs have some alarming stats at their disposal: Merchant e-fraud totaled $4 billion in lost revenues last year, according to CyberSource’s 2009 Online Fraud Report. Data  breaches increased a staggering 47% in 2008, as calculated by the Identity Theft Resource Center. And our own InformationWeek Analytics 2009 Strategic Security Survey shows that both threats and applications/systems are growing increasingly complex—meaning we’d better start getting our classification houses in order now, before the degree of difficulty becomes untenable. (C020709)

Research Report