Sensitive Data Classification - The Benefit of Sensitive Data Discovery

The beginning of Sensitive Data Management IS Sensitive Data Discovery. Sounds simple and direct, but, in my experience, it is far from it. Tools are finally emerging that enable automated discovery of (searches for) sensitive data. Most organizations are over-whelmed and unprepared to address the issues and behavioral changes required once they understand the amount of sensitive data and where it lives.

Experience has also shown that senior management is required to contribute time and effort during the strategy and planning phases simply because the foundational and necessary changes are going to take time and create new boundaries that must be supported to succeed.

A key deliverable from a risk assessment is a Classification Matrix for sensitive data. Putting it simply, a classification matrix is a well-defined set of rules that must be applied to sensitive data to meet the organizations regulatory and audit requirements.

The foundation of this matrix is the agreed-upon set of standards and best practices, including the consequences, for managing and/or mis-managing sensitive data. This is the reason executive management buy-in is required. The IT tools will automate these standards and best practices, but “when push comes to shove”, if you will, the boundaries and consequences must be well-known and understood.

The example shown is very mature and used by permission. But, as with everything it had to start somewhere.  Those of us that are tasked with ensuring the organization is protected and monitored understand the evolutionary nature of cyber-security in terms of altering behavior and embedding best practices in processes and tooling.

It all starts with a simple matrix and evolves from there. Simple like three categories and list of consequences and existing controls. Then mapped to next state controls based on the capabilities of the manual and eventually automated processing.

Let's get started.