Data classification as a part of Information Lifecycle Management (ILM) process can be defined as a tool for categorization of data to enable/help organization to effectively answer following questions:
What data types are available?
- Where are certain data located?
- What access levels are implemented?
- What protection level is implemented and does it adhere to compliance regulations?
When implemented it provides a bridge between IT professionals and process or application owners. IT staff is informed about the data value and on the other hand management (usually application owners) understands better to what segment of data center has to be invested to keep operations running effectively. This can be of particular importance in risk management, legal discovery, and compliance with government regulations. Data classification is typically a manual process; however, there are many tools from different vendors that can help gather information about the data.
The fundamental objective in classifying and protecting data should be based on the reasons why the data are important to the business in the first place. IT does not have this knowledge in most cases. Therefore, each line of business must identify which pieces of information are critical to its business processes. From a security standpoint, it does not really matter what names are assigned to data as long as data sets are established that provide more meaning to business operations. The advantage of employing classification terminology that reflects the business operation will be evident in communicating ownership and integrating the security requirements into each business process.
The key success factor in a data classification scheme is that classes of information are properly defined and related to process owners, easily communicated to all stakeholders, and clearly convey a business value to the organization, while expressing the need for hard, technical internal controls that IT understands.