Many organizations are embracing a datacentric approach to cybersecurity risk management. Using data to quantify cybersecurity risk helps make security tangible to end users, aids in regulatory reporting, and narrows the focus of risk management to the most critical concerns. The logical starting point for most organizations is to identify the types of data available and then classify it. But too often, that’s where the process ends – a written policy sitting on a shelf, collecting dust. So what should organizations that want to take action do next?
First and foremost, organizations must incorporate data classification standards into IT operations so that those standards can be ingrained in risk management and cybersecurity controls – resulting in better alignment with business needs.
To illustrate this point, let’s take a look at an organization with years of experience implementing data classification standards: the federal government. Long before the proliferation of digital communication, the federal government went to great lengths to manage sensitive data. Different ways in which it protected data included:
The federal government’s use of data classification to manage security is a good example of how to use data to make decisions about daily operations. You might notice these principles in your day-to-day work with modern information systems.
The question then becomes “How can organizations use data classification standards in their IT operations to make decisions about daily operations?” As with most cybersecurity issues, the devil is in the details. The following questions might help guide productive discussions about data classification standards in different parts of your organization and pave the way for using the standards in the cybersecurity risk management decision-making process.
If you’re the lucky person responsible for classifying your organization’s data, maybe it’s time to take a step back and assess if and how classification standards are used throughout the organization. Do your strategic goals of using data classification standards align with the tactical use of such standards in your IT operations?
Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.