By Johnny Lee | Follow Johnny Lee on Twitter @forensicupdate
Countless times during my career, I’ve been asked why data classification makes financial sense for an organization. This particular conversation typically arises in the context of a rebuttal to an unpopular project that has been proposed (i.e., one that doesn’t affect the bottom line — at least in a material and self-evident way).
Data classification can mean many things, of course, but from a data security perspective it typically involves the assignment of a sensitivity rating (or level) to various data used by an organization. The purpose of this assignment is, above all, to avoid “boiling the ocean,” as we consultants like to say.
Whether an organization is responding to a specific regulatory mandate, an active litigation, or merely taking a proactive stance toward its information management lifecycle, properly classifying the data is the first step. Such classifications (e.g., top secret, secret, confidential, restricted, and unclassified) allow organizations to identify what data an organization is handling on a regular basis, how well it is securing such data, and whether significant risks are being mitigated that relate to same.
While computer applications and appliances exist to help with data classification, ultimately this is a subjective exercise. Properly done, it includes all strata of the business, incorporates a risk-based approach, and contemplates business, technical, and other points of view. Only by identifying which data are important to the business, can an organization hope to quantify how expensive and inefficient its one-size-fits-all data management strategy truly is.
While data classification is most often cast in the light of risk-avoidance, there are significant benefits to classifying data that do, in fact, translate to the bottom line. Indeed, when an organization invests the time to classify its data, there are frequently entire populations of content that are being secured at great cost — though the actual content of these files merits no such security. These savings alone can pay for a data classification exercise.
Similarly, when organizations truly identify what data are important to their day-to-day operations, a great focus is brought to bear on how those data are created, managed, copied, distributed, and (ultimately) retired. This heightened awareness likewise has tremendous benefit for companies — whether in heavily regulated industries or not.
This article originally appeared in Forensic Update, 02/28/2012
Johnny Lee is a management and litigation consultant, specializing in data analytics, computer forensics, and electronic discovery in support of investigations and litigation. A former attorney, he also provides advisory services to companies working to address complex data governance and records / information management issues.
Johnny is a frequent speaker, panelist, and contributor on issues involving eDiscovery, Records and Information Management, Data Analysis, Business Intelligence, and the effective use (and risk management) of Information Technology. He has delivered solutions in both the public and private sector on the effective mitigation of business, compliance, and litigation risk to Law Firms; General Counsel; Boards of Directors; Audit Committees; and Chief Financial, Compliance, and Operations executives.<
Johnny received his Juris Doctorate from the Georgia State University College of Law and his Bachelor’s degree from Emory University. He was admitted to the State Bar of Georgia in 2000, where he maintains an active law license. He has delivered projects across a variety of industries, including advanced technology, software, communications, private equity / venture capital, healthcare, hospitality, manufacturing, financial services, insurance, retail, construction, transportation, and legal.
Are you a blogger?Please visit our Submissions page to find out how to submit an original article, or if you would like us to repost one of your best.