The regulatory expectation from both the SEC and the DOJ is that your firm will implement some form of a data classification system that will allow you to adequately protect your business’s sensitive information. We have previously discussed the creation and implementation of such a program. In this post we will take a look at administering your data classification program and the type of ongoing and periodic assessment recommended via the recent Division of Investment Management guidance.
Congratulations on making your way to this, our last, data classification entry in a three part series. In Part I of our series, we reviewed locating your data and determining just what data your organization collects and retains. In Part II, we discussed creating a classification schema that will work for your company. In this entry, we will discuss the administration of your data classification plan as well as ties from data classification to other important aspects of data security and general operation. In addition, we will specifically review the link between data classification and a properly crafted and executed incident response plan.
Much like any other process or system within your organization and certainly in line with your typical compliance obligations for monitoring and review, your Data Classification program cannot be static. On a regular basis you should make time to review every aspect of the data classification scheme and ensure that it is still functioning as intended. On the front-end, it is important to review your program frequently as you will likely be weeding out issues that you hadn’t thought of when you implemented your plan, or tweaking your classification types and levels to meet your business needs. Once things are functioning smoothly, it is tempting to just leave the program alone to run on auto-pilot. You must fight this urge and spend some time reviewing your data and the adequacy of the program as a whole.
When should you perform a review? For some industries, such as Financial Services companies, governed by the SEC, the “periodic assessment of the nature, sensitivity, and location of information that the firm collects, processes and/or stores, and the technology systems it uses” has been formally recommended in recent guidance. Data classification is mentioned in several forms of recent industry guidance and within the Identify function of the NIST CSF (Item ID.AM-5). We recommend a review of your data classification program (if it’s functioning properly and smoothly) on a semi-annual basis or “as-needed.” We understand that the “as-needed” is something of a catch-all cop-out but you should carefully consider what “as-needed” means. When we develop a data classification plan, we will always define several as-needed “trip points” that will automatically trigger a review, while allowing for a periodic inspection that is at the discretion of the individual or team managing the data classification program. At a very minimum, we recommend triggering an as-needed review in the following instances:
- A data owner leaves your company, or a new data owner is appointed due to an internal role-change. This type of staff rollover is an ideal time to review that owner’s (or department’s) data. Take the time to determine if the data within the department has been classified properly. Review the access controls surrounding the data. Do the proper individuals have access and, more importantly, are there any unnecessary connection points that can be eliminated? A role change is an excellent time to do some data classification (and segregation) housekeeping. At the same time, make sure to incorporate periodic reviews of static departments as well. Consider reviewing one department per half (or year) to ensure that you don’t leave any stone un-turned.
- There is a significant change in data collection points. If your firm has traditionally only handled institutional funds and has just opened its doors to accredited investors, you will certainly want to review your Data Classification Program to include your newly-acquired Personal Identifiable Information. You should also keep in mind, however, that the addition of certain data points should trigger a review. For instance, the State of California considers usernames, passwords, and security questions and their answers to be PII as well. If your firm adds a new web portal for its clients to connect to that asks these types of questions and, correspondingly, stores this data, you will want to review that part of your program.
- A significant corporate event occurs. In the event your firm acquires another entity, or if it is acquired itself, and the goal is to merge information systems, an in-depth review of your data classification program should be undertaken. At the very least you must consider the new firm’s data collection and retention policies and how their data will fit into your policy. If your firm is adopting the other’s information security strategy, you should take the time to determine how to best integrate the programs. Finally, you should also consider a significant event such as the addition or spin-off of a division to trigger a review. New business lines carry new data points with new security needs and a spin-off should be considered as well to ensure that you close any potential data-leakage points.
These specific review concerns should not eclipse a general review of your program on a regular basis. Your Information Security Committee or other comparable governance body should spend the time to review the overall adequacy and effectiveness of your data classification program. While there are certainly legal considerations that must be reviewed (IE – are you encrypting data that must be by state law?) we recommend that your review always consider your business needs. The security of your information is certainly important, but you should strive to ensure that data classification and resultant segregation be as unobtrusive as possible. If a specific part or function of your plan is grinding business to a halt, you must review and adequately address security surrounding the data point, while loosening restrictions sufficiently to allow for smooth business operations. Simply put: if your data classification program is impacting your business negatively, it must be reformed.
If things are going well, however, you should take the time to expand the scope of your data classification program to include data segregation. Consider developing policy to ensure that certain data classes are restricted to the individuals who need to have access to them. You can work with your IT department to implement the technical controls required to restrict this data access. In the event of breach, having reduced access based upon roles and your data classification scheme can significantly reduce both the amount of data accessed and your liability.
Finally, if you are taking the step of restricting access to data based upon your scheme, we would recommend tying your incident response plan to your data classification levels. As you are developing or testing your plan, consider the unauthorized access of various levels of data according to your classification levels. Develop response plans for each level of data classification that you have put in place. And, as always, test those response plans to ensure that they appropriately respond to their breach severity. When gaps are identified, take the time to determine if your data classification program needs to be altered, or if your incident response plan requires modification. Securing your data more effectively now can often be a more economical solution than responding to a breach later.
Incident response plans and data classification programs are complex and nuanced business issues. Although we have tried to provide a general level of understanding in our blog posts, specific information must be tailored for every firm. If you have any questions regarding the creation, implementation, and maintenance of a data classification program or an incident response plan please feel free to contact me directly at Lyman@ArtemisSecure.com or 860-248-4100 x804. I’m pleased to guide you!