Defining your data via data discovery and classification is the foundation for data security strategy. The idea that you must understand what data you have, where it is, and if it is sensitive data or not is one that makes sense at a conceptual level. The challenge, as usual, is with execution. Too often, data classification is reduced to an academic exercise rather than a practical implementation. The basics aren’t necessarily simple, and the existing tools and capabilities for data classification continue to evolve.* Still, there are several best practices that can help to put you on the road to success:
- Keep labels simple. At a high level, stick to no more than 3 or 4 levels of classification. This reduces ambiguity about what each classification label means. Lots of classification labels increases confusion and the chance for opportunistic data classification (where users may default to classifying data at a lower level for ease of access and use).
- Recognize that there are two types of data classification projects: new data and legacy data. This will help to focus the scope of your efforts. Commit to tackling new data first for maximum visibility and impact for your classification initiative.
- Identify roles and responsibilities for data classification. Consider data creators, owners, users, auditors (like privacy officers, or a risk and compliance manager), champions (who’s leading the classification initiative?). Data is a living thing and all employees have a role in classification. Classification levels may change over time as data progresses through its lifecycle or as regulatory requirements evolve.