kentoh - Fotolia
As compliance evolves, it's time to re-address data classification
Compliance rules like GDPR and the CCPA require a fresh look at companies' data classification policy, and particularly how it defines its wide variety of unstructured data.
The European Union's General Data Protection Regulation (GDPR) has put the spotlight on what data companies keep, how they store it and how they use it. But Jason Rader, the national director of network and cloud security at Fortune 500 technology provider Insight Enterprises, said most organizations remain too limited in their efforts to comply with the GDPR requirements. These organizations focus only on the data in their databases and applications instead of corralling unstructured data residing on laptops, smartphones and devices on the edge, Rader said.
What's more, companies focused on meeting GDPR requirements might not be ready for, or easily able to meet, the California Consumer Privacy Act of 2018 and any future, similar laws. Rader said companies instead should revisit their data classification efforts to ensure they're compliant with existing data-related laws and well-positioned to meet the new ones that are on the horizon. In this Q&A, Rader offers advice about how companies should approach this task.
Your firm has called for executives to revisit their data classification program and associated initiatives. Do companies need a new plan?
Jason Rader: I would say that "new" should probably be replaced with "complete" data classification initiative. It is likely that they didn't have a very solid data classification program in place beforehand, and they probably engaged just enough with the GDPR initiative to be compliant.
What should a "complete" data classification initiative entail?
Rader: To help those that would like a very prescriptive model, [there's] the NIST SP 800-60, which relates to the categorization of information and information systems. [In my] generalization, it's the following:
- Know the different types of data that you have in your organization and where [that data] is.
- Define the security controls that MUST be enabled to protect each data type.
- Put those controls in place, whether [the data is] in the data center or in the public cloud. Regardless of whether the data you are trying to protect resides in your data center, in the cloud or somewhere else, you should apply the appropriate controls there.
- Once the controls are in place, evaluate their effectiveness.
- If the appropriate controls are found to be sufficiently implemented, then the system can be moved into production, [and] exceptions must be documented and accepted.
- Rinse and repeat.
If there's a framework available, why do you still see organizations falling short?
Rader: Most organizations may say their GDPR quest has engaged this process. However, the focus is again on "complete" -- some companies forget about all the data that is sitting in email, log files, Excel/Word/PowerPoint documents. These unstructured bits of data are just as regulated when they contain regulated data. Many organizations will attack a new compliance initiative by assessing their core business systems and workloads and leave the unstructured data for later. It's an age-old problem.
If it's an old problem, why the urgency? What makes this problem more taxing today?
Rader: What I would propose to an organization that has just finished with a GDPR initiative is that they should leverage the momentum that they've created in getting to this point to do a complete job. People are assigned to roles, reporting is in place, budget is allocated, senior leadership is interested. Continue to understand all the risk the organization is exposed to by including all data in the exercise.
How should this new data classification initiative get at the unstructured data?
Rader: This is going to involve people, process and technology. There are pieces of technology that can sit on the endpoints, there are network and datacenter tools, there is user training, there are policies that can be put into place, like "no saving data locally."
How should organizations use the data classification plan to better meet the requirements of GDPR, the California law, its own security needs and any future laws? In other words, how does an organization leverage a new data classification initiative and reduce its risks?
Rader: My main advice here is not to just focus on a single compliance effort like GDPR with your [data] security program. A comprehensive program with all the systems categorized, security controls defined and implemented, with ongoing assessments and updates is the way to go. Then when a new compliance requirement comes along like the "right to be forgotten," it's just a matter of dealing with the gaps.
What exactly is the CIO and the IT department's role in all this?
Rader: The data protection officer is the named person in GDPR who holds the bag. The CIO is probably going to take some functional responsibility as well, but it depends on the organization and reporting structure. At a minimum, the CIO will help with reporting compliance, and the IT folks are typically custodians of the data, which means they are responsible for implementing and maintaining the controls that are put into place to monitor and protect the data. It's the owners -- the business units -- who should be classifying the data. That may be a major breakdown in a lot of organizations.
You have said "Unstructured data almost means unclassified, unmonitored and unwatched." What should organizations do to counteract that? What should their game plan be?
Rader: Ultimately, simply including unstructured data in all activities regarding data classification and risk assessments would get some attention on the matter and lead to an organization determining the appropriate balance of the people, process and technology in their approach based on what they have and what their business goals are.
Where are you seeing U.S.-based organizations making the most mistakes when it comes to meeting GDPR requirements?
Rader: They're focusing just on GDPR. Chasing a particular regulatory requirement or chasing a particular threat like ransomware, is the worst way to approach an overall security program. They need an overall program, and that's where the data classification program comes in. They need to understand more than just GDPR-regulated data. They need to understand the different data types they've got, how they use it, where it exists and the amount of risk it presents to them. That's a better approach.