Security

Mission impossible: Data identification and prioritization

Protecting your organization's most precious data is the goal, but not all data needs the same degree of care. Thinking strategically about what is most valuable can help you focus attention and funds where it's most needed.
Today humans create more information in two days than was created from the dawn of man to 2003 (if only cavemen had Twitter: Spent day looking for food #grunt #woollymammoth). The speed of growth and velocity of data creation is mind-boggling (90% of all data was created in the last two years). Businesses are becoming overwhelmed with data (including structured as well as semi/non structured). From a security practitioner's perspective, securing this data seems like mission impossible. The immediate thought would be to classify the data. Data classification has long been touted as a necessity for addressing data security issues. However, it is an expensive and cumbersome process that is overtly excessive for most companies (unless you're the CIA). The more effective approach would be to identify your mission critical data and its location.

The premise of data identification (and prioritization) is based on the assumption that not all data is created equally. Some data is more valuable than other data. From an economic perspective, it does not make sense to protect all data equally. Does it make sense to have sensitive corporate merger documents under the same level of protection as the Miley Cyrus MP3s on the marketing intern's laptop? Think about where you store your personal valuables: safety deposit box, combination safe, or liquor cabinet (this tends to house the prized possessions of the overworked IT pro). The point is that you wouldn't store your gym socks or your "Reagan trounces Mondale" newspaper in these secured areas (nor would you store your most valuable items out in the open). Logic would dictate that the most critical data should be under stronger control (plus it's more cost effective!).

Most IT security professionals find themselves in the unenviable position where they are expected to do more with fewer resources. What would be more cost effective than focusing on protecting the higher risk data assets? Take that first step and identify the certain types of valuable data and prioritize accordingly. Whether it be member/customer data, personal data, or commercially valuable data. Ask yourself, what data/information, if it left the organization, would cause all hell to break out? Make no mistake - this is not simply an IT endeavour. The identification and prioritization of critical information is an enterprise-wide initiative. Engaging the entire business allows for critical data to be prioritized in the greater context of strategic business objectives.

It is simply not efficient nor sustainable to apply the same blanket level of protection, storage and management requirements to all information. Once you know what data needs the most protection, you can properly allocate the funds and resources to best defend those assets and shift to an information-centric security paradigm.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

2 comments
maconrad
maconrad

Any organization worth its salt will have a records management program. Among other things, this program should identify all of the vital records of the organization. The program should also have developed retention schedules that indicate how long particular data/records need to be kept. These retention schedules are generally signed off on by senior management and the legal department. Checking in with the records manager might be a good place to start your prioritization.

PeterSS
PeterSS

This is a good article, and encapsulates the problems many of us are facing. However, it would be useful to know what solutions are available to help with this work, both in identifying critical data, separating it, and protecting it. I work for a local authority in the UK, and we have faced this issue for years. To date, we have treated all our data as sensitive, but this is becoming unworkable, so now we need to start the job of separating and protecing the data. It would be useful to hear from people who have done this already.