Data Classification, Retention, and Security Part 1: What Do We Have Here?
Recent SEC and DOJ guidance has placed great emphasis on Data Security through Data Classification. Regulators are expecting you to classify your information based upon criticality and sensitivity, but where do you begin? Take a minute and think about all the data you have in your organization right now. We talk about IT Security here, so you might stop and first think about your customer records, maybe your firm’s Intellectual Property, and if you’re really thinking hard you might even stop to think about your Human Resources records. These are all excellent items to consider as you think about data security. But what about everything else? What about your vendor contracts? Your leases? Inter-Office Memos? Manuals? Drawings and Schematics? Business Plans?
The list can quickly make your head spin and you find yourself sitting back at your desk, data unclassified, only now you have a headache. So how do you go about implementing a data classification program that works for you?
Take a moment (and some ibuprofen, if you need) and start back at your most important resource: your people. Data classification is a project that, unless you’re at a single-person company, is too large to handle by yourself. Indeed, a solo effort may lead to misclassification (or missing data all together!) So get your team together and ask them to identify their data. What data does each department need to perform its critical function within your organization? As you develop your list, just listen to each head and what they need. Write it down. When you’re done, you should have a pretty good idea of what data is necessary for each unit to successfully execute its role, as well as what data you have within your organization. As you query each department, be sure to ask how long they need to maintain such data for. Different units will have different answers. Some data may need to be retained into perpetuity, some only for a short period of time. The business, itself, may have regulatory requirements for data retention which is part of your discussion with Compliance.
Once you have an idea of what data you have and how long you need to keep it, schedule a meeting with your friendly IT Staffer, and discuss how much data you actually have and WHERE it is. You’ll be amazed if you haven’t kept on top of it, how often data can multiply. System migrations or infrastructure changes can lead to data being copied and stored in multiple locations. Work with your IT team to determine – for each server, workstation, or cloud-based solution – just what data is located in each place and how much of it is there. Keep in mind, you want to inventory items that may be stored off-site (including CDs, Tape Backups and Remote Drives as well.)[1] Finally, take the time to ask your employees if they make any backups themselves for any reason whatsoever. There are times where an employee may make a personal backup of their system, simply because they think it might be helpful to the IT team should something happen. Perhaps they are concerned that they have highly sensitive information that is not being properly backed up (or not backed up in a timely-enough fashion.) If this is the case, we highly recommend an in-depth review of the reasons for such backups, as they could be indicative of a larger problem.
You’ve now inventoried all your data. Congratulations! It’s a huge achievement these days just to know WHAT you’ve got and WHERE it is! In our next post we will detail how you can begin classifying it. Stay tuned!
[1] Inventorying of all devices is a basic tenant of the NIST Framework for Critical Infrastructure Cybersecurity.