top 10 best practices for implementing data classification

Watchful Software

Steven Horst David Thornbury

Help Organizations

Monday, May 1, 2023 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 2

data is truly sensitive?

should have access to it?

is the data to be handled?

should the classification change?

What

Who

How

When

should the data be protected?

Where

ContentContext

MetadataReal-time

Identification

Automated

Classification

Custom

Tagging

HEADER

Internal Use Only

Printed by Jo

hn

DoeFOOTER

Thor

ough

Logg

ing

Seamless

Protection

Enforced

Blocking &

WarningP

OL

ICY

Glo

bally

Uni

que

Iden

tifie

r78

9EE

AB

1-86

1F-4

8A2-

B96

2-B

C6B

4B67

E32

2

Steve Horst - Regional Sales [email protected]

David Thornbury - Regional Sales [email protected]

Monday, May 1, 2023 © Copyright www.watchfulsoftware.com. 2016 All Rights Reserved. 4

To See Watchful Software In Action

Presented By:Presented On:

Corporate Overview

Agenda

o Who We Are

o What We Do

o How We Do It

o Top 10 Best Practices for Data Classification

1. Determine Project Objectives2. Determine Project Pre-Requisites3. Figure out Solution Options4. Create the Right Policy5. Meet Infrastructure Requirements6. Deploy and Rollout7. Train the Right Personnel8. On-going Support and Maintenance9. On-going Measurement10. Improve Continuously

Who We AreWomen-owned, award-winning, fast-growing and innovative. SPHERE has created a niche for providing analytics, remediating risks and implementing automated solutions for the management of human- and machine- generated data and enterprise assets.

SPHERE solves a variety of technology needs through three robust offerings.

Specialized Professional ServicesStrategic SoftwareCustom Integration

Creating customized solutions using third-party or internally developed software.

http://www.lweworld.com/past-top-25-nominees/

http://njieawards.org/wp/previouswinners/previous-winners-of-the-george-merck-award-for-community-engagement/

What Does SPHERE Do?

DATA

ACCESSSYSTEMS

Compliance

Gove

rnan

ce Security

ASSESS

REMEDIATE

AUTO

MAT

EPLAN

How Does SPHERE Do It?

SPHEREboard

Automation and Visual

Representation

SPHEREengine

Business Intelligence

Direct Access

Third Party Tools

SPHEREcollector

SPHERE Methodology

COLLECTING PROCESSING REPORTING

Assess

Plan

Remediate

Automate

Static

Dynamic


Top Ten Best Practices for Implementing Data Classification

About Today’s Speaker

Rita GurevichFounder and President

Top Ten Best Practices for Data Classification

1. Determine Project Objectives

2. Determine Project Pre-Requisites

3. Figure out Solution Options

4. Create the Right Policy

5. Meet Infra. Requirement

6. Deploy and Rollout

7. Train the Right Personnel

8. On-going Support and Maintenance

10. Improve Continuously

9. On-going Measure-ment

When you look at the Top Ten Best Practices for Data Classification…

you need to think about a process…












What are the steps?

What are the key factors for each?

Lets explore them…




3. Figure out Solution options

4. Create the right Policy



7. Train the right personnel




• Understand level of risk

• Understand why your data needs to be protected

• Set scope of deployment


Understand what and why you are

protecting

• PCI• HIPAA• SOX

And

2. Determine Project Pre-RequisitesEnsure a roll-out team is

created. Typically the team consists of:

System Administrator(s) of

Technical Environment,

SQL, AD, RMS, Desktop Support, Mobile Device

Support, Exchange, SharePoint

IT Infrastructure Project ManagementLegal

Risk Assessment Security


Identify• Technical Needs • Hardware • Software

…that is needed to deploy the Classification Solution

And Communicate with affected business users in advance


What…is the best set of technical controls to protect data?

• Use a DLP 1.0 tool• Restrict access to all data• Deploy a Dynamic Classification Solution


What…is the best set of technical controls to protect data?

• Restrict access to all data• Use a DLP 1.0 tool• Deploy a dynamic classification solution

A security professional must compare each option and weigh the benefits against the level of risk

identified in the Project Objectives phase

4. Create the Right PolicyClassification

levelsReview your data classification policies and confirm validity

RolesDetermine “Right-to-Know” based on organizational structure, department, job description, etc.

Rules based on:

• Legal and Compliance Regulations• Existing Information Security Policies• Business Unit Requirements• Geographical Requirements/Differentiators• Business Processes• Understanding of Sensitive Data and where it is

stored

Ex:

5. Meet Infrastructure Requirements

Program Team must talk to…

…to ensure all is in place

Microsoft Active Directory exists, is healthy, and is being used for user authentication

Microsoft RMS is implemented or available for implementation

Information Technology

3. Determine the metrics and methods for measuring the results

6. Deploy and RolloutInitial Roll-Out Action Items

1. Select group(s) that are candidates to be the first users of software

4. Identify users/key stakeholders in the selected groups

2. Define the duration of the initial roll-out period for each group of users

5. Define which policy rules will/will not be activated and applied6. Push client software to end users

Repeat the process for next group(s)

6. Deploy and RolloutInitial Roll-Out Action Items

End User TrainingOverview of the user interface and why policies are being enforced

Review and evaluate results of the deployment and adjust as necessary

7. Train the Right PersonnelEnd User Administrator Help Desk

Educate on...

1. The policies in place

2. Why the policies are necessary

3. What data needs to be protected (i.e. proprietary vs. regulated)

Educate on…

1. Basics of product architecture

2. Operationpolicy

3. Rules creation and modification

Educate on…1. Providing on-going support

8. Facilitate ongoing Support and Maintenance

Continue to…develop policy and

processes for handling policy

violations

Determine teamsresponsible for

support including End-User Support

and Admin Support

Measure…The effectiveness of the support teams

How is the program being measured? What KPI’s determine success? How is program effectiveness

communicated across to stakeholders? How does reporting from the classification

solution integrate with other dashboards? How do you facilitate continuous

improvement to the program? How do you manage workflows and policy

violations?

9. Facilitate Ongoing Measurement

10. Improve ContinuouslyMeasure… Modify… Implement…

…the effectiveness of the program

…policies to improve the effectiveness of the program

…new policies to enhance security and improve compliance

Is the deployment Use Case protecting data?

Should the policies developed for deployment Use Case be more stringent?

What other data in the enterprise requires protection?


Questions?


Thank you!

Visit www.sphereco.com for more information.

http://www.sphereco.com/