The Forrester article, Leadership In The Age Of The Customer, addresses five key actions that will lead your company to customer obsession. As the article states, "The leaders who win are those who measure customer obsession, recognize and reward customer-focused behaviors, remove obstacles, model customer obsession, and provide the needed resources". In order to accomplish these tasks, the need to gather and digitize information about the customer and to safeguard that information is critical to the company’s success.
By knowing the answer to these two critical questions below, your business can avoid being knocked out by a data breach:
- What types of data does your company store?
- Where is this data located?
The challenge in answering these questions stems from data being created, acquired and/or housed in different locations within your corporate environment. Is your business in control of its data? This two-part blog post will provide some guidance.
Part 1: Create a Data Classification Standard
Developing a data classification standard will provide a reference for different classes; risk and use level; and tangible examples. The classes of data should range from publically available to highly confidential. A three-class system could be Public Data, Private Data and Restricted Data. For each class, you should determine how confidentiality, integrity and availability need to be protected. For example, your company's marketing documents would be classified as public and would not need confidentiality, but the integrity and availability would need to be ensured least someone tamper with the information. For each classification, risk and use should also be defined. Restricted data risk could be defined as "unauthorized use or disclosure of information that could result in severe damage to the company." Its use would likely be defined as limited.
Finally, including examples provides concrete guidance to users. Examples could include:
- Personally Identifiable Information (PII)
- Credit card numbers
- Biometric data
- Protected Health Information (PHI)
- Payment or insurance information
- Test and lab results
- Medical history
- Third party corporate confidential information
The completed classification standard needs to be communicated to all employees and applied to all data. The standard should be reviewed and updated, and its application to the environment reassessed on an annual basis, ideally with appropriate data stewards and legal counsel. If the effort determines that the data must be reclassified, an analysis of security controls should occur immediately.
Part 2: Define Data Locations
You need to figure out where your data is located to effectively apply your standard to all data outlets. The following points will help in locating and securing your data:
- Locate the number of records, data type and classification
- Locate the owner and secondary owner
- Locate the data physically and logically
- Secure data's accessibility, both internal and external
- Secure data with encryption, both at rest and in transit
- Destroy any unnecessary or outdated information per your organization's records and retention policy
- Destroy any portable, single use media that holds private data such as CD-Rs or DVD-Rs.
Data owners may leave the organization and new regulations may be passed that govern how data must be protected. Therefore, you should conduct a data inventory on an annual basis, at a minimum.
For all companies, two of the most important tasks they can complete are a data classification and data inventory. While both tasks take time and effort to perform and maintain, the value they provide is incalculable. If you don't know the "what" and "where" of your data, it can be difficult – if not impossible – to ensure adequate protection.
Blog entry originally posted on February 11, 2016 and updated with new research on August 31, 2016.