As a security professional, I
understand the importance of using data classification to protect a company. The day of believing that the firewall will
protect you is unreal. Today lots of
companies treat computer security like a tomato, “secure” on the outside but
leave a soft and mushy target on the inside. We need to rethink this and classify our data
based on the risk and value to the company. As users click on emails and bad web sites,
the risk of successful attacks like ransomware and other security breaches
increase.
As a security professional who deals
with this issue regularly, it amazes me that companies do not have a process to
understand what data in the company is more important than another. One of the first steps I undertake as a
consultant is to understand what a company has from both an infrastructure and
data focus.
Does your company have baselines on
your servers and network technology?
Do you know what services are running
on your servers?
Do you know what ports are open?
If not, how would you know if you were
compromised?
Do you use a change management system
to approve, test, update systems and record new baselines?
Have you created a portfolio of all the
applications that you use, and who is responsible for them?
For the applications you have running,
do you understand the workflows and interactions between systems?
Have you built a data classification
process that is used by the company? Listing, for example, the following
classifications: Finance data, Human Resources data, Customer data, Public data
etc.? Not all data in a company needs
the same level of protection.
After building a data classification
process, you can next work on the data owners starting to put the data the
company owns into proper classifications.
There is tool that you can use to help
you with this task. For example, in Windows, there is the File Server Resource
Manager (FSRM). One of the features in
FSRM is File Classification Infrastructure
that provides a company insight into their data by automating classification
processes so that the company can manage its data more effectively. Companies can classify files, and apply
policies, based on classification. Example policies include dynamic access
control for restricting access to files, file encryption, and file
expiration. Files can be classified
automatically by using file classification rules, or manually, by modifying the
properties of a selected file or folder.
Until companies start to think about their
data, and what must be protected, companies will continue to see major breaches
to their systems. Infrastructure needs
to be understood. Systems need to be baselined.
And, processes documented. Companies need to train users on what to look
for, and what to do, if they have concerns about possible security incidents. Companies need to train employees on email,
possible attacks and vulnerabilities, and what an employee should do if they
suspect a possible problem.
Companies need to create, and USE data classification systems to
protect and add the appropriate level of security, to those data classifications
that the company agrees are an issue. Companies do not have unlimited resources, so companies
should spend time and money protecting those things that are most important to
the company.
This is the first of a group of blogs
on this topic.
