Data classification tools central to sound risk management

Most companies have a wealth of data spread across their systems, ranging in form from the structured data stored in databases through to masses of unstructured data including e-mails, Word, Excel and HTML documents, image files (such as scanned documents), and multimedia files such as audio logs and videos.

To live up to their regulatory and governance responsibilities, organisations must be able to show they have taken all the necessary steps to protect this information, and by extension the interests of their shareholders and customers.

Since there is no ultimate solution to security problems, every organisation has to have a risk management policy, which includes:

* A set of measurements to assess assets` value to the organisation
* A process to analyse threats for each asset
* A method to determine what controls need to be in place to assure assets` resistance to identified threats
* A program to apply countermeasures to assure that each control can overcome relevant threats
* A recurring trend analysis to verify overall risk reduction

In order to have a systematic, measurable and explainable classification scheme, it must have a fact-based, business analysis foundation. That, in turn, should map into five levels of business value, each having an encompassing infosec program per threat type and for each control type.

There are two general types of information - structured and unstructured. The way to classify each type is considerably different than the other.

Structured data revolves mostly around applications; hence, classifying the applications is the simplest method. If the application value is not clear, it could be deduced from its role in the business processes that it is part of.

Unstructured information can be especially challenging to manage and secure. It can be stored nearly anywhere in the enterprise - in the data centre, mail servers, applications or on end-users` notebooks, desktops and handhelds - and the volume of unstructured information in most organisations is growing at an astonishing rate.

When dealing with unstructured data, classifying the files is the easiest way. Classification of the hosting systems will then rely on the file`s value.

Classifying all of this data manually is a time-consuming and error-prone process. For that reason, enterprises are now implementing automated data classification tools to speed up the process and reduce the labour involved.

Such tools can be used to automatically classify data according to business properties and its context - for example, data can be tagged as customer information, project data, or financial records, or even sorted according to topics. Once this data is classified, it can be managed according to clearly defined business rules. This enables companies to enforce restrictions about who may use data and how they may use it according to their risk management policies. This, in turn, supports regulatory compliance efforts.