There are few topics more critical in cybersecurity than the establishment of proper data classification and protection programs within an organization. For many organizations, data and information are their most valuable assets, the new currency in the digital economy. In this chapter, we explore how aligning data and information protection with business objectives is a core element of good data governance.

Data classification influences the three central tenets of security: confidentiality, integrity, and availability (CIA).  While each of these three attributes is important, their relative values vary from industry to industry. Data classification is critical in prioritization because we cannot protect all data equally. A critical part of the CISO’s role is to understand which data is most important to the organization.

In addition to data classification, you should conduct formal data-flow analysis within the organization. We share approaches to documenting information flows within an organization that range from non-technical “meet-and-greets” to more technical packet analysis. The resulting data flow diagrams (DFDs) are a valuable tool for your information security and governance program.

Finally, treat data as a strategic asset. Make data classification activities as pragmatic as possible. Be aware that exhaustive data classification projects become “shelfware.” It is critical to have the data classification and governance activities aligned with the organization’s risk management practices and ultimately the organization’s risk appetite.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What type of information and data does my organization create, use, and share as part of our operations?

♦  Do we have data that is subject to specific regulatory or contractual controls and practices?

♦  Do I know the lifecycle of this data and the systems, processes, applications, individuals, and third parties that have access to this data?

♦  Are our organization’s data governance practices consistent with the value of this data and our regulatory or contractual obligations?

Data Mapping – Stamper

In this chapter, we will be discussing the critical requirement to classify and map data. As I explained in the previous chapter, laws, regulations, and industry standards are placing greater emphasis on knowing the types of data within organizations and its governance. Before focusing on data governance, let’s take a quick detour to the world of economics.

Transaction costs, according to economists, can influence which functions are handled internally within the organization or outsourced to an external provider. When transaction costs are high, there is a tendency to maintain these activities internally. These functions are often transferred to more cost-effective, external providers when transaction costs are low. What we have seen over the last twenty-plus years is the widespread reduction of transaction costs for many core enterprise functions and across many industries including healthcare, financial services, manufacturing, and professional services. In addition to outsourcing wide-scale functions, we are now outsourcing niche activities at the margin (i.e., shadow IT). As an economist might note, most everything happens at the margin. What does this have to do with cybersecurity? Everything.

For the CISO today, it has never been more critical to understand the types of information moving into and out of the organization. The effect of reduced transaction costs, coupled with new technologies such as mobile telephony and cloud services, has introduced significant challenges for CISOs charged with protecting organizational assets, including information and data. Let’s take a few moments to understand how pervasive outsourcing of specific functions is in today’s economy and its impact on knowing where our data resides.

Most organizations have common departments including human resources, finance and accounting, sales and marketing, information technology (IT), operations (including manufacturing), and legal. The reduction of transaction costs related to core activities within these departments has effectively made the organizational boundary semi-permeable. What is outside the organization is now inside, and what’s inside is now outside. Those of us in security feel this viscerally when we think of our own organization’s perimeter. It’s hard to find and nearly impossible to secure.

Where’s Our Data?

Let’s look at some concrete examples of how fluid information is within, and more importantly, outside of an organization. It’s not uncommon for organizations to outsource their payroll services to third-party processing organizations. Payroll data includes personally identifiable information (PII), including the employees’ social security numbers (SSNs), salaries, dates of birth, and addresses. That same organization may also outsource its accounting function. The accounting firm would have access to sensitive financial information including profit and loss detail, the value of assets, and the particulars about significant transactions. External auditors will validate the financial reports prepared by the firm and may request samples of specific transactions to support their assertions regarding the quality of the financial reporting.

The organization may leverage external legal counsel to file patent applications, handle merger and acquisition (M&A) activities, and other highly-sensitive projects. A third-party marketing application sends e-mails to clients and prospective clients containing personally-identifiable information (the name and e-mail address of the recipients). Independent contractors may be providing support on critical projects with access to material non-public information (MNPI). The organization may outsource manufacturing to a contract manufacturer in another country. The manufacturer could be using patented processes or other intellectual property of the organization. An external DevOps team may be handling application development and might have real production data to test functionality.

The organization’s applications reside in multiple locations across multiple states and several countries. Some applications and data are “in the cloud” and many lines of business, given the responsiveness challenges with traditional IT, use SaaS services to meet their requirements. Employees have personal mobile phones that they use to receive e-mail outside of the office. This e-mail includes attachments containing any number of data elements. Employees also bring their devices to work and take these devices with them when they leave the office each day, including when the firm terminates their service. Employees use third-party file-sharing tools, personal e-mail accounts, and external media to store information. Suffice it to say that the average organization does not know where its critical data and information are and, equally important, how they are protected, if at all, outside the organization.

Matt Stamper