How Data Classification and Data Loss Prevention Go Hand in Hand
In an age when data can no longer be left unsorted on company networks and data transparency and the protection of sensitive data have become key to reaching compliance with legislations such as the EU’s General Data Protection Regulation (GDPR) and HIPAA, FISMA, NIST etc. in the US, data classification and Data Loss Prevention have emerged as essential tools for effective data management strategies.
In this week’s blog post we take a closer look at data classification, what it is and how DLP solutions benefit from integration with it.
What is Data Classification?
Much like its name implies, data classification is the process of organizing data into appropriate categories for a more efficient use and protection of data across company networks.
In the context of information security, data is tagged based on its level of sensitivity, making it easier to find, track and safeguard sensitive information. In this way, data classification significantly contributes to risk management, regulatory compliance and data security.
For an effective data classification policy, categories need to be kept simple so all employees can properly apply them. While these vary depending on companies, four major categories are usually used when it comes to sensitive data:
- Highly sensitive data: information that, if made public, puts the company in danger of legal action, regulatory noncompliance or financial loss. This refers especially to personally identifiable information, but also company records and other categories of data deemed sensitive depending on the industry.
- Internal sensitive data: information that, if revealed, can pose a risk to company operations. These include sales data, customer information, employee salaries etc.
- Internal data: information that while not sensitive is not publicly available such as organizational charts, marketing strategies etc.
- Publicly available data: information that everyone within and outside the organization has access to, for example, product descriptions, company address etc.
While the temptation is great to categorize all data, few companies can afford to. Given the enormous amounts of data organizations now process, it’s only natural that tagging every item of data is a cumbersome, time consuming and ultimately expensive endeavor.
It is therefore essential that companies build their own data classification categories that include both sensitive data as defined by various regulations that they are obligated to comply with as well as what can be considered industry specific sensitive information.
Making sensitive data easily identifiable to a data processor is essential under new regulations such as the GDPR that require companies not only to be able to find such data and protect it, but to demonstrate their ability to do so. It is also important for organizations to comply with users’ requests to access or erase their personal data within a given time frame. Failure to do so can result in heavy fines and a loss of customer trust.
How Data Classification works with Endpoint Protector
By building CAP policies using custom dictionaries containing the data classification tags used by an organization, Endpoint Protector’s content scanner can pick up metadata consisting of the tags added by data classification solutions.
In this way, different remediation actions can be applied depending on data classification tags. For example, policies can be created that block the transfer of data tagged as “highly sensitive” or that only report the transfer of “internal data”.
Endpoint Protector currently extracts classification metadata from over fifty file types with new ones being added all the time.
Data classification represents an added layer of data security when used in conjunction with DLP solutions. It allows employees to mark highly confidential documents, instantly making them recognizable as sensitive data to DLP solutions scanning data classification tags, thus ensuring that the right policies are applied to restrict or block their transfer.
Frequently Asked Questions
- Content-based classification: identifies sensitive information by inspecting and interpreting files and documents;
- Context-based classification: looks at indirect indicators of sensitive information such as the application that created the file, the person who created the document, or the location in which files were authored or modified;
- User-based classification: relies on user knowledge and involves a manual, end-user selection of each file (when the document is created, after a significant edit, or before the document is released).
Data protection regulations such as the GDPR or PCI DSS require organizations to protect particular data, such as EU residents’ personal data or cardholder information. Data classification enables companies to identify sensitive data subject to specific regulations; thus they can apply the required controls and pass audits.
By deploying a Data Loss Prevention (DLP) solution, organizations can reach easier the compliance requirements of different data protection regulations such as the GDPR, HIPAA, CCPA, PCI DSS, SOX, etc. DLP tools can find, monitor, and control sensitive information, as well as help to ensure that employees cannot transfer, copy, or upload data classified as personal information under data protection laws. With a DLP solution, companies can set sensitive data policies, scan all data transfers, report or block unauthorized data transfers, generate detailed reports, etc.
Data discovery implies identifying sensitive data such as Personally Identifiable Information (PII) and Intellectual Property (IP) for adequate protection or safe removal. It is an essential step to ensure compliance with different data protection regulations. Data discovery enables organizations to assess the complete data picture and implement security measures to prevent the loss of sensitive data.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.