5 Steps to Implement Data Sensitivity Classification


Table of Contents

There’s a good reason that roughly 68 percent of business leaders feel the cybersecurity risks for their company are increasing, according to recent research by Accenture. They are increasing.

From phishing to incidental data exposure as a result of human error, data breaches are becoming increasingly common among organizations of all types. In the first half of 2020 alone, more than 36 billion corporate records were exposed by mistake, according to RiskBased Security.

Part of the problem is that most companies still struggle with identifying the full scope of the data generated by their organization, and fail to classify it based on sensitivity level. More than half of all data within the typical company is unclassified or untagged. Without understanding the sensitivity of data, it is hard to properly secure it.

Sensitivity classification is a foundation for proper data security, and the good news is that establishing a robust classification system is not as hard as it was even a decade ago.

There are five basic steps for implementing a comprehensive data sensitivity classification system.

Step 1: Make a Data Classification Plan

The first step is developing a plan for data classification that fits the needs of the organization.

Data classification is essential for risk mitigation, but other frequent use cases for it according to Gartner research include governance/compliance, efficiency and optimization, and analytics support. So defining classification objectives should be the starting point for your plan, including which systems are in scope for the initial classification process, and any regulatory frameworks for data that the company must follow.

Once those core considerations are defined, organizations should categorize data according to type, such as personally identifiable information or intellectual property, and define data classification levels.

For more on this step, read our article, How to Develop a Data Sensitivity Classification Plan.

Step 2: Define the Automated Classification Process

There are three ways that each piece of corporate data can get classified. Data can be manually classified by employees, it can be classified automatically by data discovery and security systems, or organizations can take a hybrid approach that combines both automated and manual classification.

As the heading for this step implies, most organizations will want at least some measure of data classification automation because complete manual classification is functionally impossible. Besides, there’s no point in making classification a manual process.

Most businesses that successfully classify data according to sensitivity take a hybrid approach that combines comprehensive automated data discovery and classification with an ongoing manual audit of data classification performed by the system.

There are several robust data discovery and classification solutions on the market, including Qohash’s cloud-based Qostodian platform that can uncover sensitive corporate data even on public cloud servers and personal computing devices within an employee’s home.

As part of this step, businesses also will define what data should be scanned first, the frequency of scanning, and the resources used for maintaining data classification.

Step 3: Specify Classification Criteria and Review

With a data classification solution in place, the third step is defining the criteria for classification, and the process for verifying correct classifications.

In terms of classification criteria, an organization will want to define the classification patterns and labels within the automated solution that will be required for correct classification. This will be easy or hard depending on the organization’s knowledge of its complete data footprint, the schema developed during the classification planning phase, and the automated data classification solution that has been chosen.

Businesses also should specify the process for reviewing the automated data classification as part of this step, and the process for validating its ongoing accuracy.

Classification accuracy typically is broken down into two measures, according to the Association for Information and Image Management (AIIM):

> What percentage of the automated solution’s data classifications are the same as a human would assign? Perfect precision means that all data is classified in the same way as what would be achieved by manual classification.

> A distinct but related metric, what percentage of all valid data is the automated solution able to classify correctly for a given data category? Perfect recall means that all corporate data intended for inclusion is classified correctly by the solution.

Step 4: Establish Overall Outcomes and Classified Data Usage

Data classification is not an end unto itself, so the next step is defining and setting up the analytics and security processes that will take place as a result of data classification. This is where the classification usage and overall outcomes are defined and implemented. From a data security perspective, this also is the payday for all the steps that came before.

Where possible, outcomes based on data classification should be automated so they can take place in real-time with minimal opportunity for latency between data creation and the use cases based on classification. This is especially critical for security processes built around sensitive data classification, because data such as intellectual property and personal identifying information requires immediate security action.

As part of this process, test and review outcomes prior to systems rollout to verify that they conform to all objectives specified in the organization’s data classification plan.

Step 5: Monitor and Maintain Classification

The final step is one of the most important.

Data classification is not one and done, so establish a process for discovering and classifying corporate data resources on an ongoing basis. This includes specifying the frequency of discovery and classification if it is not performed automatically in real-time.

Along with establishing an ongoing data classification process, businesses also should define a process for periodically reviewing data classification categories and the classification process overall.

If regulatory compliance is one of the objectives for the classification effort, this should include specifying a process for monitoring regulatory changes on an ongoing basis for continued data classification relevancy.

Ensuring that all sensitive corporate data is properly secured is not an instant process. But at the same time, it is easier than many businesses realize. All it takes is awareness of the corporate landscape, a little structured planning, and the right data automation technology in place.

Much of this process, from data discovery to automatic real-time classification of sensitive data, can be handled by Qohash’s Qostodian solution. Contact us for a Qostodian demo or guidance on how to simplify your company’s data security operation.

A propos de l'auteur

A propos de l'auteur

Recommended for you

Data governance best practices
Data is at the core of decision-making and strategic planning for many digital-based organizations. Implementing robust data governanc...
Data access governance
If you want to keep your data safe and secure and make sure your information doesn’t get into the wrong hands, you’ll want to make sure y...
qohash qostodian recon logo
Qohash is pleased to announce a significant update to the Qostodian Recon scan engine, designed to enhance speed, accuracy, and explainab...
data migration challenges (1)
With every instance of moving data around, there are at least a dozen things that could go wrong. While data migration is essential fo...
data security posture management vs cloud security posture
As cyber threats continue to evolve, it’s important that businesses prioritize both data security posture management (DSPM) and Cloud Sec...
create an insider risk management policy
When it comes to protecting your company’s most valuable assets and sensitive data protection, knowing how to create an insider ris...
Logo Qohash
By initiative
Regulatory compliance:
Find, classify and inventory all sensitive data, across every data source
Data breach prevention:
Monitor sensitive data 24/7, track data lineage, and enforce policies at endpoints
Microsoft 365
One easy-to-use platform to secure sensitive data on Windows workstations and M365
By regulation
Law 25
Why Qohash
Defy legacy limitations
What our customers say about us

Contact us​