Strategic Information Management Through Data Classification
6 likes1,505 views
The document discusses the importance of strategic information management through data classification to mitigate corporate risk and costs amidst the growing demand for enterprise storage. It highlights how unstructured data, increasing risks of data breaches, and regulatory compliance challenges necessitate a comprehensive approach to effectively manage and protect business information assets. The paper outlines a methodology for implementing data classification strategies to improve compliance, reduce risk exposure, and lower operational costs.
Strategic Information Management Through Data Classification
- 1. Strategic Information Management Through Data Classification Reducing Corporate Risk and Cost by Gaining Control of Business Information Assets by Glen Day day_glen@bah.com
- 3. Strategic Information Management Through Data Classification Reducing Corporate Risk and Cost by Gaining Control of Business Information Assets Even in the midst of a global recession, enterprise storage demand continues to grow at a feverish pace. In addition to bearing escalating costs for storage and related services, companies are also facing increasing risk of data breaches due to the pervasiveness of how and where confidential files are stored. Despite significant investments in content management and data leak protection technologies, most businesses still lack the core processes and tools needed to effectively manage vast amounts of digital data in accordance with business objectives and compliance mandates. Providing businesses with the capabilities necessary to effectively manage and protect information assets demands a more strategic and comprehensive approach to today’s information management programs. This paper provides a better understanding of how exponential data growth directly affects the risk posture of critical corporate information assets, and addresses IDC estimates that information is now growing by the common problems caused by gaps in information 60 percent per year and will continue to grow at that management programs and the likely consequences rate through 2011. Worldwide, digital information will associated with immature methodologies. It also highlights escalate tenfold between 2006 and 2011, from under the business advantages and the privacy compliance 200 to almost 2,000 exabytes. However, not all of benefits that can be realized with an effective data this digital information is stored safely in the corporate classification program that applies a holistic approach to database where it can be managed, monitored, and information management. controlled. Enterprise Strategy Group estimates that between 80 to 85 percent of all business data More Data, More Cost, More Risk is unstructured (ESG, 2007), much of this in the Over the past few decades, most companies made a form of e-mails, text documents, spreadsheets, and strategic decision to provide increasing IT resources presentations (.doc, .ppt, .xls, and .pdf). to their employees. As a result, Moore’s Law prevailed not only in processing power, but also in storage disk Unstructured data is considered the most evasive capacity. For the past few decades, the price of a and unmanaged data format within any company; this gigabyte of storage has been dropping by 30 percent poses great risk to businesses. Few hurdles prevent per year, on average. A company having insufficient employees from copying confidential data from secure storage is now virtually unthinkable. Despite a databases and storing the same information in slowing economy, the storage industry in the United a spreadsheet, thereby negating any security measures States grew by 15 percent between 2007 and 2008 protecting its access, use, and dissemination. This kind (IDC, 2008). of violation is often perpetrated by employees to provide 1
- 4. convenient access to information while in transit or the discovery of malicious software installed on the traveling. Unfortunately, this practice can lead to serious company’s systems. As Heartland processes more security and privacy breaches, as laptops and USB than 100 million transactions per month, the number storage devices with insufficient security controls to of compromised records could be in the hundreds of protect sensitive data are often lost or stolen. millions. At $200 per record stolen, the financial hit to Heartland could be devastating (Claburn, 2009). With corporate data increasing exponentially, what are the ramifications of having the storage environment In 1999, congressional lawmakers Phil Gramm, Jim grow 30 percent faster than a company’s revenue or Leach, and Tom Bliley pushed through the Gramm- IT budget? With a 30 percent annual average price Leach-Bliley Act, the first major piece of legislation that decline, a simplistic view suggests just purchasing specifies measures companies must take to protect more disks. However, this tactic promises more than it Nonpublic Personal Information (NPI). This became the delivers. Related incremental costs for staff and storage foundation for many other privacy regulations—such as management services such as backup, antivirus, and HIPAA and the Payment Card Industry (PCI) initiative, data replication continue to escalate unabated. mandating protection of sensitive patient and customer data, respectively. In a post-9/11 world, other new Over time, most business information devolves from regulations like the International Traffic in Arms being an information asset to being an information Regulations (ITAR) place additional restrictions on the liability—it no longer serves a business need yet flow of trade information. New attention is now focused still requires care, protection, and incurs costs. on the shipment of microchips and electronics, as The challenge is not to restrict the growth of useful well as related electronic information surrounding business data considered to be valued assets, but these devices. This spotlight places further duties how to better manage and dispose of expired or and burdens on businesses. To properly distribute worthless data. This useless information is expensive information internationally related to the manufacture to maintain, holds no further business value, and of these components, one may have to effectively continues to present a high business risk. classify and restrict access to thousands or even The increasing threat of data leakage remains a primary millions of files and stored e-mails. business challenge. A recent Wall Street Journal article reported that the number of data breaches increased by A Growing Data Management Challenge almost 50 percent in 2008, compared to the previous Until recently, these problems were relatively year, exposing the personal records of some 36 million manageable. In cases where unstructured data needed people to potential thieves (WSJ, 2009). The Ponemon to be closely managed for a regulation such as HIPAA Institute found that these breaches cost companies or ITAR, companies could employ Enterprise Content nearly $200 per record stolen, or $6.6M per incident. Management systems. For a small pool of data, such The more data stored by an organization, the higher the as the CEO’s e-mail or a repository of engineering risk of a breach. Given the exponential increase in data documents relevant to litigation, businesses could breach incidents, if a casualty has not yet occurred, use litigation support software or services. If data in odds are that one is imminent (ponemon.org). specific folders or behind certain applications needed to be protected, they could use Identity Management Until recently, TJX Companies, parent company and Data Loss Prevention solutions. of retail giant T.J. Maxx, held the record for the largest single security breach of sensitive customer Those solutions assumed some logical concentration information. On January 21, 2009, Heartland Payment of relevant data, either in a few places or as a Systems, a large credit card payment processing manageable size. Unfortunately, these assumptions company, eclipsed TJX when Heartland announced are no longer valid. Data held by Fortune 500 2
- 5. companies can no longer be measured in single or ad hoc process changes. In Booz Allen’s view, terabytes and typically exists in multi-petabyte enterprises should implement a strategic information heterogeneous storage environments spread out management program by first classifying data to across global networks. There are multiple silos of help reduce their corporate risk exposure, decrease information, in many cases governed by data stewards information discovery times, improve compliance with authority to create their own policies based on status, and potentially realize significant cost savings regional or departmental priority. through an effective data disposal program. There are substantial synergies between information Most companies do not have adequate management and other enterprise-wide shared services, including access management, data processes or technologies to manage their leakage protection, records management, litigation unstructured data. 75% said they were support, storage management, governance, risk, concerned that their unstructured data was and compliance. Our comprehensive approach growing too rapidly. 63% said they did not have takes a holistic view of key business processes and data protection controls as assessed against our adequate systems to manage it. information management adoption model in Exhibit 1. - Computerworld survey of 250 large companies on data management New rules and regulations governing how data must be stored, secured, transferred, retained, disposed of, and used will encourage many businesses to emulate On average, most large corporations now have over the standard set by US military and intelligence 240 terabytes of storage, of which some 80 terabytes communities in establishing a classification schema. may be subject to significant requirements for information protection, such as access and lifecycle Exhibit 1 | The Booz Allen Strategic Information controls. Relevant and supporting enterprise policies Management Model (SIMM) or solutions for meeting those requirements are often immature and insufficient. The digital data, and its management requirements, have simply grown Data Classification too fast for most companies to build an effective Policy & Procedures information management strategy that can meet Data Information Leakage Handling business objectives. Preventive Policy & Program Procedures Continuing to neglect these challenges may result in: Strategic adverse legal judgments for failing to meet Federal Information Rules of Civil Procedure (FRCP) guidelines; penalties; Access Management Data Retention Management Model & Disposal and lost business resulting from data privacy Program Policy & Procedures breaches, or loss of trade secrets that could diminish a company’s competitive edge. Effectively employing Electronic Automated Discover Data an information management strategy may be the single (eDiscovery) Disposal largest priority for Fortune 500 companies over the Program Program next 3 years. Answering the Challenge Gaining control of corporate information assets will Source: Booz Allen Hamilton not be accomplished through technology solutions 3
- 6. For almost a century, Booz Allen Hamilton has assisted federal agencies and commercial companies in building strategies to streamline their operations and gain a competitive advantage. More recently, Booz Allen has helped to pioneer strategies for large organizations to solve enterprise problems related to records management and information security. This unique experience and expertise has never been more relevant for commercial companies with global operations. Effective Information Management Through Strategic Data Classification The majority of data and privacy breaches are avoidable. Traditionally, organizations have applied a network-centric focus to securing systems, based on defined confidentiality levels for storing and processing data. While still a necessary component, a more information-centric approach is needed today. Better control and protection of confidential and sensitive information first requires an awareness of where the data is stored and how it is protected. Booz Allen’s methodology conveys the complexities of information management in simple business terms: • Discovery: Once classifications are defined, storage • Know what information you have managers should identify known storage areas and query for unknown storage devices. • Know where you have it • Data Mapping: Detailed data maps should then be • Know what information you have to keep created to formally document leading data flows and • Know why you have to keep it their associated classifications. • Keep it only as long as you need to—dispose • Analysis: During this critical phase, stakeholders of everything else should perform a detailed review and evaluation to identify violations and conflicts between corporate Booz Allen’s strategic approach to building and policies and user practices as related to executing a data classification program, as illustrated information handling. in Exhibit 2, is derived from a logical and comprehensive workflow. • Strategic Realignment Plan: Based on the outcomes from the previous phases, remediation • Classification Schema Definition: Prior to classifying recommendations should be developed using unstructured data, business owners must first risk-based methodologies to create a strategic determine the levels of classification (Confidential, plan to realign both administrative policies and Restricted, Public, etc.) and what attributes user practices. This should include an information constitute each of the levels (SSN, credit card security control enhancement plan to mitigate the number, financial information, protected health identified deficiencies. information, etc.). 4
- 7. Exhibit 2 | Data Classification Assessment Methodology Strategic Classification Schema Discovery Data Mapping Analysis Realignment Definition Plan Source: Booz Allen Hamilton Applying Booz Allen’s business-centric approach to Booz Allen has helped customers at various stages data protection through strategic data classification of the planning and buying cycle. While some clients is an essential element in corporate risk reduction continue to struggle to assemble internal project efforts. This approach will reduce risk, improve teams, others have matured their programs to include compliance, speed information discovery, and—through high automation. Booz Allen offers services at all levels data disposal of expired files—decrease costs. of the adoption cycle and specializes in translating business requirements to policy definitions and Conclusion recommendations for enterprise solutions. Storage capacities are growing exponentially, Discerning business leaders rely on Booz Allen exacerbating the number and severity of data breaches to deliver quality results to help resolve their and other security issues. Whether due to hackers complex business challenges. Leveraging our or employees, companies are at risk of losing or team of experienced cybersecurity experts, proven compromising information assets on a daily basis. In methodologies, and a reputation built on decades of this difficult economic environment, companies need success, Booz Allen works as your trusted advisor to to consider a comprehensive, strategic approach to help protect your business with enduring results. information management through data classification. With decades of relevant experience, Booz Allen Hamilton is the most qualified partner to help drive the adoption of government best practices and proven methodologies for information security and management in the commercial sector. 5
- 8. About the Author Glen Day is a Principal in Booz Allen Hamilton’s Contact Booz Allen to learn more about our Los Angeles office who leads the firm’s cyber security Cyber Security Strategic Approach. and privacy services for commercial healthcare. Glen works with our clients to mature and optimize their Security Testing security and privacy programs to effectively protect Data their IT assets and meet compliance mandates. ISO/IEC 27001 Classification Security Cyber Previously, as Los Angeles County’s first Chief Privacy Program Security Strategy Officer, he was responsible for the development and implementation of HIPAA’s privacy policies and Assessment Identity & practices, working across several departments and & Inventory Access Management Management hospitals to drive the county's health privacy excellence. Glen also has held executive positions for IT operations and cyber security at various start-ups, and is a retired Commander from the US Navy. He earned his MS in Information Management from the Naval Postgraduate School and his BS in Applied Mathematics from the University of Southern California. Contact Information: Sources Glen Day Claburn, Thomas, “Heartland Payment Systems Hit by Data Security Breach,” InformationWeek, January 20, 2009 Principal, CISSP, CISM Cyber Security & Privacy Enterprise Strategy Group, Extending Discovery to All Corporate day_glen@bah.com Information, December 2007 310/297-2120 IDC, The Diverse and Exploding Digital Universe, March 2008 6
- 9. About Booz Allen Booz Allen Hamilton has been at the forefront of information technology, systems engineering, and strategy and technology consulting for 95 years. Every program management, Booz Allen is committed to day, government agencies, institutions, corporations, delivering results that endure. and infrastructure organizations rely on the firm’s With 20,000 people and $4 billion in annual revenue, expertise, and objectivity, and on the combined Booz Allen is continually recognized for its quality capabilities and dedication of our exceptional people work and corporate culture. In 2009, for the fifth to find solutions and seize opportunities. We combine consecutive year, Fortune magazine named Booz Allen a consultant’s unique problem-solving orientation one of “The 100 Best Companies to Work For,” and with deep technical knowledge and strong execution Working Mother magazine has ranked the firm among to help clients achieve success in their most critical its “100 Best Companies for Working Mothers” missions. Providing a broad range of services in annually since 1999. strategy, operations, organization and change, To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com. 7
- 10. Principal Offices ALABAMA KANSAS OHIO Huntsville Leavenworth Dayton CALIFORNIA MARYLAND PENNSYLVANIA Los Angeles Aberdeen Philadelphia San Diego Annapolis Junction San Francisco Lexington Park SOUTH CAROLINA COLORADO Linthicum Charleston Colorado Springs Rockville TEXAS Denver MASSACHUSETTS Houston FLORIDA Boston San Antonio Pensacola Sarasota MICHIGAN VIRGINIA Tampa Troy Arlington Chantilly GEORGIA NEBRASKA Falls Church Atlanta Omaha Herndon HAWAII NEW JERSEY McLean Honolulu Norfolk Eatontown Stafford ILLINOIS NEW YORK O’Fallon WASHINGTON, DC Rome The most complete, recent list of office addresses and telephone numbers can be found on www.boozallen.com by clicking the “Offices” link under “About Booz Allen.” www.boozallen.com ©2009 Booz Allen Hamilton Inc. BAH-083 Viewpoint