What is in a name?

Pearce: Data classification must be taken into account

Hardly a week goes by without reports of confidential information being mislaid. Although much large-scale data loss is the result of carelessness rather than malice, it increases the need for organisations to have watertight data leak prevention (DLP) strategies, especially in the current environment of legal liability and regulatory compliance issues.

The public sector in particular suffers a complex set of operational frameworks and legislation, such as the HMG Security Framework, GCSX and the Code of Connection.

These legislative frameworks must be seen as a step in the right direction in terms of reducing the risk of data loss. Standards, policies and procedures are the foundations of a DLP strategy and, as part of the policy implementation, every employee should know how to identify confidential information and understand his or her own role in keeping it secure.

This sounds good in theory. However, in the real world things are not so clear-cut and it can be the human element of the equation that poses the most challenges.

It is one thing to set rules around which data should be classed as sensitive or confidential. It is quite another to ensure these policies are adhered to. How, for example, can you ensure that an email containing sensitive information, such as personal records, is not sent beyond the corporate network?

Most data that needs protecting is unstructured. The question becomes: what needs to be protected and how can you make users aware of this and ensure rules are applied in a consistent way to reduce risk?

Identifying and classifying data is an often-overlooked element of DLP, yet in this compliance-driven era it is vital to have a way of classifying data according to its value and sensitivity and be able to apply appropriate controls.

When a document is created, the owner should classify it. This, among other things, should set rules around which individuals are able to access that information.

Last year, the UK government released the HMG Security Policy Framework, which provides guidance to the public sector. Organisations must adhere to the HMG Protective Marking Scheme. This means that broad classes of government-generated information, including email, are flagged according to their sensitivity.

The Code of Connection is in revision. One area of change will include labelling emails with security markings. Code of Connection version 4.1 is likely to be adopted next year.

Enforcing data classification across email and other documentation improves an organisation’s ability to understand the value of data and how it is handled.

This also makes standard DLP technologies, such as encryption tools, more effective because they help users apply policy decisions. It also raises awareness of proper data handling procedures.

Tools can help automate and enforce such processes, encouraging users to mark emails and documents in line with corporate policy and government legislation.

Murray Pearce is a director at Vigil Software