Because information comes in many different forms - word processing documents, spreadsheet and emails, as well as marketing, general business operations, executive correspondence and customer service emails - some information can be challenging to classify. Also, how do you handle documents that have been altered for other purposes? What if portions of a document classified as Highly Sensitive are used elsewhere, for instance? Should those portions be considered Highly Sensitive as well, or do they require a round of review and, possibly, reclassification?
Be aware that labeling data and classifying data are two different things. A label identifies the required level of protection and is usually a mark or comment placed on the document itself or in the metadata. For example, you could insert the word "Confidential" in the header or footer of a document or add it to a file's properties sheet. When you classify a file, on the other hand, you might or might not apply a label.
4. Policies: Protect Data in All Its Forms
Your data classification standard must be incorporated into your organization's overall security policy. Policies must be clear as to the use and handling of data, and the approach you select will drive the cost of handling data.
Security policies, standards and procedures establish different requirements on data and information, depending on the lifecycle state (creation, access, use, transmission, storage or destruction). The goal is to protect data in all its forms, on all types of media and in different processing environments, including systems, networks and applications.
Be sure your policies state that users of information are personally responsible for, and will be held accountable for, complying with all policies, standards and procedures.
5. Mobile DLP Software: Watching Mobile Users
Many mobile DLP products offer monitoring, which lets IT view the data a mobile user accessed and/or downloaded from a corporate server. The beauty of mobile monitoring is that it provides warning signs, which give IT a chance to act on a possible breach or policy infraction. However, it takes time to differentiate between general noise and real security threats, so it's often used more like a log for keeping track of actions. The challenge is selectively preventing sensitive information from being transferred to or stored on a mobile device in the first place.
The latest products from well-known DLP application and appliance vendors such as Symantec, McAfee and Websense provide data classification features to label messages and documents (metadata labeling), as well as features that analyze content and filter it when a mobile device interacts with a corporate server.
Referred to as content-aware, these technologies are highly useful for organization-issued as well as employee-owned devices. They can prevent certain emails, calendar events and tasks from synchronizing with a smartphone or tablet from a Microsoft Exchange server, for example, based on the mobile DLP policy. The technologies enable an administrator to separate personal and business email and to prevent business information from being stored on a mobile device.
Sign up for CIO Asia eNewsletters.