DO YOU KNOW YOUR DATA?
Most organizations with valuable information protection system would not have classified their data if not for the need for compliance audits or requirements. Great value is harvested when your information protection system is built on a solid foundation involving well-thought-out data classification, after all, compliance is not protection.
Data classification is one of the first steps on your journey to getting your information protection solutions right. It entails labeling your data, be it in the cloud or on-premise, to know what level of protection should be given to such data. The level of protection is based on how valuable that data is to the business. A PowerPoint containing key business strategy decisions could easily get in the wrong hands if left unprotected, in a USB, stolen laptop, or accidentally forwarded to someone outside the organization.
These scenarios are highly probable but can easily be mitigated by classifying your data and applying security controls such as encryption on them. But to do this first, you need to discover your data, engage with necessary stakeholders within your business to assign a level of importance to these documents and then the technology can step in to automate and maintain such classification.
It is not really that simple! A lot involves getting the right people to decide on labels, getting executive sponsorship, and looking out for external regulatory contexts such as PIPEDA, GDPR, HIPPA, etc.
Microsoft 365 data classification solution and other information protection services are available with your Office 365 Subscription. Once you have implemented this, it is much easier to quickly take on retention policy, data loss prevention, and data-related security controls within your cloud environment. Having implemented related solutions for mid and large size businesses, here are few tips on successful implementation.
1. Involve People: It entails changing how users interact with their document, involving them early and throughout the project is important.
2. Test and Test: Having detailed test cases on multiple platforms and applications will reduce surprises.
3. Start with a pilot: Start with a pilot test, involve at least 2 people from a different line of business.
4. Think ahead: if you will be implementing some other related controls such as retention and DLP make sure your classification covers their use cases.
Classifying your data allows you to implement multiple layers of defense against data exfiltration and other data threats such as data loss prevention, retention, and record management.