Keeping Compliance Costs Down With Data Classification

As organizations develop their data management policies, IT departments need to improve practices to properly classify data not just for operations’ sake but to also better manage risk and keep compliance costs in check. According to security experts, enterprises are still only doing a middling job at discovering, classifying and managing their data so they can apply risk-centric protections according to data sensitivity and regulatory requirements.

“If I were to give a broad school-letter grade to how they’re doing, I’d say they are getting a ‘C’ right now,” says Cal Slemp, managing director and global head of IT consulting for Protiviti, a Menlo Park, Calif.-based firm. “One of the things that we work with clients on is we start with the discussion that not all data should be treated the same. From a security or privacy perspective, that becomes even more true.”

According to Slemp, while many organizations have data classification on their radar, it still isn’t consistently recognized by those at the top of the food chain as a useful way to reduce compliance costs and overall risk. Protiviti just released survey data last week that offer statistical evidence of this lack of executive awareness or support. In a survey of over 100 IT professionals, respondents at nearly a quarter of organizations reported that management has limited or no understanding of the difference between sensitive information and other data.

Even with that executive support and with plans in place, many organizations are still having a difficult time actually putting classification operating procedures in place and actually enforcing policies. The survey showed that even though 69 percent of companies have clear data classification policies to categorize information, only 50 percent have a plan in place to perform that categorization. According to Slemp, when an organization is not able to easily separate publicly-available information from regulated information, compliance costs will rise.

“If they haven’t started to put that into an operational environment, I think they’re going to face some cost issues and potentially not focus on all the items that a regulation might be seeking out,” he says.

According to Mel Shakir, product manager at McAfee, data discovery and classification should be at the foundation of any solid compliance and risk program. Without knowing which information resides where, it is difficult to put controls in place.

"You cannot protect an environment you don't understand,” Shakir says. “Once you have a good understanding of where the data is that is important to you, who is using it, how it's being used, that's when the controls start falling into place."

According to Tom McAndrew, executive vice president of professional services at compliance consultancy Coalfire, that operationalization of data discovery and governance can be improved by better automation tools.

“The good news is that with the newer database solutions, there are automated ways of detecting data and triaging systems that appear to have data they shouldn’t. As you get your organization to map and understand your data, look for opportunities to automate and monitor compliance and security,” he says. “Automation has the ability to decrease compliance and security costs and get higher levels of assurance that you know where your data is and where it is going.”

The prospect may be even less daunting if organizations were to keep less of their data for smaller periods of time. According to Protiviti’s survey, many organizations add additional risk of exposure and compliance burden to their plates by keeping too much data for too long.

“What we’ve seen is many organizations default to the attitude that they’re going to save everything forever,” he says. “Maybe its old contracts or old employee records with PII, but if you have data and you don’t need it, it could cause you to pay additional compliance costs or suffer unnecessary exposure.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.