Data Classification and Data Loss Prevention: Indispensable Building Blocks of Information Governanceby Allison Walton on March 15th, 2012
In an effort to envision information governance as a modular and digestible concept, a great place to start is by imagining two building blocks. Not only will this approach make the task of thinking about holistic information governance less daunting, but it will carve out a beginning and an end with two basic concepts, thereby enabling a realistic and modular implementation.
Classification, Intelligent Archiving and Storage
The first block, and one of the single biggest cost savers an organization can embrace, is the proactive classification of data. Data classification begins with policy creation. Organizations that form a committee(s) to define policies and invest the energy into the enforcement of those policies almost always reap significant benefits from the initiative. The efficiencies are so compelling that it’s a wonder that data classification and archiving are ever considered separately. One major benefit includes the ability to intelligently leverage information since the classification places the data with similar material pursuant to the stated policy. Organizations that embrace archiving for storage footprint reduction, compliance, litigation, and retention will also see the value of preventing trash from entering the archive upfront.
The more useless data that can be disposed of at the initial point of classification, the more intelligently and nimbly the archive can run, thereby reducing costs when it comes time to collect and cull potentially non-relevant data for eDiscovery. At a minimum, policies should be created to prevent trash from entering the archive. Optimally, policies should contain key identifiers that direct information into specific folders within the archive.
One common concern among record managers is that data classification needs to be perfect – but perfection is neither the goal nor is it achievable. For most organizations, any improvement in data management would be a big step in the right direction. Proactive data classification and archiving are not meant to be granular records management systems. Instead they serve as safeguards on what enters the archiving system, and where and for how long that data is subsequently maintained.
Data Loss Prevention, Asset Protection and Security
The other beneficial block of a holistic information governance plan is security-centric and focused on data loss prevention (DLP). With the proactive management of data, it is important to reduce costs as information is created and received. Similarly, it is critical to monitor sensitive data on an outgoing basis to protect organizations from inadvertent disclosures of sensitive information and intellectual property assets. Much like the policy-driven classification, data loss prevention requires policy creation as well. The policy creation requirements for DLP can luckily leverage much of the hard work done with document retention and classification as they often mirror each other.
If an organization does not know which data is sensitive or constitutes an asset, how can it be protected? In order for organizations to address their valuable information they need to assess, at a minimum, the following four considerations:
- What kind of information does the organization consider to be valuable/sensitive?
- What happens if that information gets into the wrong hands?
- Where does the sensitive information presently reside/where should it reside?
- How to track such information if it is transmitted outside of the organization?
The primary events that keep information security officers concerned regarding data loss prevention are: the unauthorized disclosure of sensitive customer information, unauthorized downloads of intellectual property, lost/stolen laptops, the transfer of proprietary information onto flash drives, and finally, concern over outbound emails containing sensitive information. These events most frequently occur at the hands of malicious and/or careless workers. A way to monitor and control activities associated with breach is through data loss prevention policy and technology.
Examine the document retention/classification policies and data loss prevention policies of the organizations and compare them for similarities. Next, consider getting the key stakeholders for Compliance, IT, Legal, RIM, and Security together to talk about these aforementioned scenarios and to construct a policy. Make the agenda for the meeting short and simple, focusing first on email. Initially focus on how to address the trash being kept so it does not enter the archived environment in the first place. If you do not have an archive, consider getting one.
Finally, tie in data loss prevention as a necessary means of protecting the assets of the organization, as well as providing consistency through classification and data protection. The parameters for defining valuable information will be the same whether looking at classification or data loss prevention. If nothing else, addressing these two critical building blocks will reduce storage and eDiscovery costs, facilitating better coordination of information through intelligent archiving, while simultaneously protecting the organization’s critical assets.