Chapter 3


There are few topics more important in cybersecurity than the establishment of good data classification – and by extension protection – programs within an organization. For many organizations, their data and information is every bit as valuable as other assets. Indeed, many economists have observed that data and information are the new currency in the digital economy. As our authors noted in the last chapter, specific types of information are subject to mandated security and privacy practices.  In this chapter, we learn how aligning data and information protection with business objectives is a core element of good data governance. The authors note that not all data is created equal.

Bill Bonney begins the chapter by bringing clarity to what is the central role of the CISO, namely protecting information. We are, after all, Information Security Officers. Bill provides an important perspective on how data classification influences the three central tenants of security: confidentiality, integrity, and availability (CIA).  While each of these three attributes are important, and indeed you cannot have a secure environment without all three being present, their respective values vary notably from industry to industry. As a simple case in point, availability of information in healthcare will trump confidentiality. Bill also offers practical guidance to CISOs in noting that not all data can be protected equally and that a critical part of the CISO’s role is to understand which data is most important to the organization and ensure that this data is adequately protected.

Matt Stamper emphasizes the importance of conducting formal data-flow analysis within the organization and notes that the resulting data flow diagrams (DFDs) are a valuable tool in conveying the importance of data and information security and governance to other colleagues and the board of directors. Matt’s analysis also enters the world of economics, highlighting the linkages between transactional costs and how much data and information is shared with third parties (be they vendors, clients, independent contractors, or affiliated parties). As part of Matt’s guidance, he shares approaches to documenting information flows within an organization that range from non-technical meet-n-greets to more technical packet analysis.

Gary Hayslip brings home the shared perspective of our authors that data is a strategic asset. Gary strongly suggests that data classification activities be made as pragmatic as possible (and aligned with the needs of the organization) and warns that data classification efforts that are too exhaustive become “shelf ware.” Overly complex and burdensome classification efforts are doomed to fail and undermine organizational effectiveness. Gary notes how critical it is to have the data classification and governance activities aligned with the organization’s risk management practices and ultimately the organization’s risk appetite. This risk management perspective on data classification will resonate with other executives in the organization.

Some of the questions the authors used to frame their thoughts for this chapter include:

Screen Shot 2016-08-14 at 2.06.58 PM

Visit here for an excerpt of Chapter 3…

Copyright © 2016 CISO DRG JV – All Rights Reserved.