Implementing Data and Asset Classification
Our organization is planning for implementing data and asset classification and handling. We have drafted the policy and procedures and submitted to senior leadership.
I am curious to get some help and feedback on how this be completed in real world? how do we begin with? What process must be involved? What tools will be needed?
Appreciate any tips and suggestions
ASKER
Thank you all for precious advise here.
Let's say that we are implementing newly Data Classification policy and we defined these classifications on which the data sits: Confidential, Internal, Private & Public.
We are using Manage Engine for Asset management. Initiative coming down from on-high that we are to start with servers. Some critical such as Database, Domain Controllers, Application, ERP, and Internet-facing servers.
1- Add the servers into the asset inventory with all the details
2- Assign the owners (data owner, custodian,). The question: who should be assigned owners here we have CEO, CIO, and HODs for Infrastructure, DB, Application Development, Web, ERP, Security, & Networking.
3- Classify the assets based on the data they store.
4- Add the CIA loss impact
4- Apply Controls such as DLP on DB.
5- Put the physical labels on the servers
classification is a real pain; we want to keep simple as possible we can
Any thoughts?
4- Add the CIA loss impact
It would be best if you had formal processes in place to ensure the CIA of your protected data. Check my article https://www.experts-exchange.com/articles/34811/The-Principles-Of-Information-Cybersecurity-CIA-Triad.html
ASKER
For classification, we need to identify data, systems & documents to add them into assets inventory tool.
But how do we put the data such as PII or PHI? Any guidance on that please, little confused here. How do you do in real world?
ASKER
Basically, I would start with Asset Register in a spreadsheet, share it with all departments, once they fill all the information, we can put them into our asset inventory and start working on classification.
Is that sounds good?
One thought is to avoid something overly complex. The only people that can genuinely classify data are the business/data owners. Often it's not only the data but the context the data lives in.
The business risk determines data classification, i.e., the potential impact on the business of the loss, corruption, or disclosure of information. It must be applied to information in all electronic and physical forms (paper) and should be applied by the data owner, not the security manager.
Significant sections of this Data Classification Policy include:
• Definition of data classification levels
• Data owner roles and responsibilities
• Security controls and handling instructions for each level
ASKER
Soon we will be onboarding asset inventory tool which will help us to discover all assets by running scan on the network.
Let's take an example of endpoints, once discovered we cannot determine the asset owner and sensitivity
how do we fix this issue?
Shall we send the asset register to all departments after discovering them on to inventory tool where HOD can assign the asset owner and classification?
Do you have any better approach? Please do share.
Eventually, we want all assets and information added into the inventory with all details of ownership and classification.
Appreciate your time and efforts.
Data classification is the process of organizing structured and unstructured data into defined categories that represent different types of data. Standard classifications used in data categorization include:
Public
Confidential
Sensitive
Personal
First step is to identify the information assets (Payroll records, Health records, admission data)
Identify data asset owner (Board of Trustees, Controller and Director of Budgets, Research)
Evaluate Data Asset (confidentiality, integrity, availability)
Assign Data Classification (SSC, Financial Data, Information System)
Implement Data Handling Controls (Control keys for confidentiality, integrity, availability, Retention, destruction, auditing)
Implement the DLP tool to be complaince against the below regulatory board.
I have experienced with Bolden James & Forcepoint DLP tool which we have implemented. In the market there are plenty of tools however choose wisely to fit your need and requirement.