A recent article by Eric Lundquist titled “5 Black Hat Security Lessons For CIOs” of Information Week lays out important security lessons for CIOs. Among the five lessons, one strikes a particular chord – “Understand What you are Protecting.” On the journey towards sensitive data protection, the starting point must be an understanding exactly what comprises sensitive data for your organization. Data is the lifeblood of most, if not all organizations. A threat to the data often constitutes a threat to the overall well-being of the organization. Therefore data classification and segmentation become vitally important in the protection of the overall health of the company.
When classifying data, it is important to segment that data according to the level of risk associated with a compromise of that data. For example, information that will not do any harm to a company if it is exposed can be classified as “public.” Financial information, however, may cause significant harm to a company and should be classified “sensitive.” Segmenting data in this way not only helps to create a complete inventory of the data, but it also helps to prioritize the data protection needs of the organization.
Public information, for example, needs fewer and less robust protections that would sensitive data. Sensitive data should be protected with robust access controls, encryption and strong enterprise key management. Additionally, the two types of data should be logically segmented. This also allows the company to implement resources in the most cost effective way.
It seems like almost redundant to say that “in order to protect your data you must first understand it.” Unfortunately, however, it is not uncommon to find that companies do not have a full inventory of the type of data that is being store, or even where that data is being stored. A comprehensive data inventory allows companies to decide not only if they should be storing data, but also how they should be protecting it.