How Data Classification and Data Loss Prevention Go Hand in Hand
In an age when data can no longer be left unsorted on company networks and data transparency and the protection of sensitive data have become key to reaching compliance with legislations such as the EU’s General Data Protection Regulation (GDPR) and HIPAA, FISMA, NIST etc. in the US, data classification and Data Loss Prevention have emerged as essential tools for effective data management strategies.
In this week’s blog post we take a closer look at data classification, what it is and how DLP solutions benefit from integration with it.
What is Data Classification?
Much like its name implies, data classification is the process of organizing data into appropriate categories for a more efficient use and protection of data across company networks.
In the context of information security, data is tagged based on its level of sensitivity, making it easier to find, track and safeguard sensitive information. In this way, data classification significantly contributes to risk management, regulatory compliance and data security.
For an effective data classification policy, categories need to be kept simple so all employees can properly apply them. While these vary depending on companies, four major categories are usually used when it comes to sensitive data:
- Highly sensitive data: information that, if made public, puts the company in danger of legal action, regulatory noncompliance or financial loss. This refers especially to personally identifiable information, but also company records and other categories of data deemed sensitive depending on the industry.
- Internal sensitive data: information that, if revealed, can pose a risk to company operations. These include sales data, customer information, employee salaries etc.
- Internal data: information that while not sensitive is not publicly available such as organizational charts, marketing strategies etc.
- Publicly available data: information that everyone within and outside the organization has access to, for example, product descriptions, company address etc.
While the temptation is great to categorize all data, few companies can afford to. Given the enormous amounts of data organizations now process, it’s only natural that tagging every item of data is a cumbersome, time consuming and ultimately expensive endeavor.
It is therefore essential that companies build their own data classification categories that include both sensitive data as defined by various regulations that they are obligated to comply with as well as what can be considered industry specific sensitive information.
Making sensitive data easily identifiable to a data processor is essential under new regulations such as the GDPR that require companies not only to be able to find such data and protect it, but to demonstrate their ability to do so. It is also important for organizations to comply with users’ requests to access or erase their personal data within a given time frame. Failure to do so can result in heavy fines and a loss of customer trust.
How Data Classification works with Endpoint Protector
By building CAP policies using custom dictionaries containing the data classification tags used by an organization, Endpoint Protector’s content scanner can pick up metadata consisting of the tags added by data classification solutions.
In this way, different remediation actions can be applied depending on data classification tags. For example, policies can be created that block the transfer of data tagged as “highly sensitive” or that only report the transfer of “internal data”.
Endpoint Protector currently extracts classification metadata from over fifty file types with new ones being added all the time.
Data classification represents an added layer of data security when used in conjunction with DLP solutions. It allows employees to mark highly confidential documents, instantly making them recognizable as sensitive data to DLP solutions scanning data classification tags, thus ensuring that the right policies are applied to restrict or block their transfer.