Before an appropriate set of controls can be defined and deployed, we need to understand the value of what needs to be protected and, to the extent that we are able, where it is located. This is similar in nature to how we go about protecting the infrastructure. The information needs to be characterized in terms of its value to the organization and the impact of its disclosure to the public. This disclosure component is of critical importance to achieving compliance with many of the data protection and privacy regulations that currently exist, as well as those yet to come.
This characterization is typically expressed as a data classification policy. A typical data classification policy defines four levels of data within the enterprise: Public, Internal, Confidential, and Restricted. The headings may differ from one organization to another, but for our purposes these headings will suffice:
- Public data is typically defined as data that anyone can access and it may be disclosed to the general public without impact to the organization. Examples of this type of data may include product marketing materials, sales collaterals and for publically held companies the annual report.
- Internal data is typically defined as internal business correspondence, records and data that are created during the normal course of business which is not identified as confidential or restricted. Examples of data classified as Internal include business emails, correspondence with clients.
- Confidential data typically includes any and all of business, financial and technical information including, customer, product, pricing and product development plans, network and system diagrams or other non-Restricted data created in the normal course of business which if made public would cause harm the organization.
- Restricted data includes all information subject to restriction in access, storage or processing by law, or regulation, or by customer contract and any other information owned or under the stewardship of an organization that could cause significant harm if inappropriately disclosed, accessed or modified.
Another important aspect that is relevant to data leakage is to define a data lifecycle to determine when and how to appropriately retire and dispose of data that is no longer needed by the business. This should be addressed in an organization data retention policy. In many cases such a policy does not exist. The data leakage issue may be the key to convince an organization to develop a comprehensive and enforceable data retention policy.
How data leaks occur
Now that we have identified the "what" we can move on the "how." This "how" will be divided into two parts. The first "how" will focus on how information and data leaks from an organization. The second "how" will be concerned with how an organization can guard against this leakage and reduce the risks associated with that leakage.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.