Protect your information and your business
It is not uncommon to encounter media accounts of a data breach or loss. The consequences are usually severe, including monetary loss and loss of confidence in the organization. In fact, a study completed by Symantec in 2006 determined that 60% of organizations that lose their data shut down within six months of the loss. You don’t want to find yourself in this number, but where can you begin to make a difference?
What information do you have?
In order to effectively and efficiently manage information, it is necessary to first confirm what information assets the organization has and also to identify people in the organization that “own” the information. The owner of the information is responsible to determine who can access information and how it will be used.
What types of data do you have?
After information assets are identified, they should be classified according to their sensitivity relative to unauthorized disclosure. For example, there may be legal or regulatory requirements that specify that certain information must be protected. There may be industry guidelines that address information protection, for example the Payment Card Industry Data Security Standard that outlines requirements to protect credit card data. When classifying information, it helps to consider information in broad categories, for example, corporate intellectual property, human resource information, financial information, information to access systems and records (user-ids and passwords) and information that could typically be found in the public domain.
It is important not to develop too many classifications of information because such a scenario will likely become unmanageable. Quite often, three classifications are often sufficient. For example, information that should only be shared amongst management may be classified as restricted. Information that is less sensitive, but should not leave the organization may be classified as confidential. Information that typically exists in the public domain may be classified as non-sensitive.
- Make a list of the information: who is responsible for it? Who should have access to it?
- Determine the different categories of information: remember, probably no more than 3 categories should be enough.