| COLUMN |
Creating a data classification policy |
 |
By Andrew McCreath
01 Apr 2009 | SearchStorage.co.UK
|
A project arrives on an IT manager's desk with all of the documentation complete, the scope and size of the service defined, and a very compelling executive summary. Yet the request is declined. Why?
The answer lies with creating a data classification policy. Many companies still fail to apply a data classification profile from their IT policy to a project. They assume that when the system goes live, their archiving tool of choice will handle the rest.
This mistake probably causes the most pain within many small- and medium enterprises (SMEs) today because they probably never had the budget to deploy data classification as a programme of works or couldn't get the needed support.
Data classification enables organisations to store their data in line with compliance controls, thereby reducing any risk to the business in the event of an audit or legal discovery.
Beyond this, a data classification policy enables companies to store data in the most effective manner and utilise their storage resources in an optimal fashion. High-performance disks retain the most active data, while lower-performing disks can be leveraged for archival purposes.
Using data classification, organisations can identify where their data should be sent and who should have access to it. For example, a file marked "Company confidential" shouldn't be allowed to be sent via email to external sources, while one marked "Public" should be accessible via the company intranet (but not the publicly accessed Internet).
The goal of data classification is to align data with business requirements so IT can effectively and efficiently manage it.
The biggest challenge faced by companies looking to implement data classification is educating users. Unless a company is well disciplined or its users have a basic understanding of the security practises surrounding data classification, implementation will be a challenge. In addition, if the implementation is overly complex, uptake of the technology will be low and lead to failure. It's better to have a simple data classification policy than to fail in perfection. The devil truly is in the details.
So with this in mind is the answer a tool, software, hardware, a procedure or a policy? It's an overall approach led by the business -- with cost, risk and service in mind -- that delivers against a set of objectives, goals and measures. Only once these are in place are you ready to talk to vendors about which tools (or components) may meet the needs of your business.
For example, nobody goes out to buy a car just to get from A to B. We go out wanting certain things from that mode of transport such as a sunroof, heated seats and so on. These are the criteria we use for making an informed decision as to which vehicle is the right one for us. The same needs to be true of data classification. Words like strategy and vision are great, but you can't have a vision for a fast system or expect grandeur with limited funds. However, that doesn't mean spending a lot of money is always the right decision. You should always use a specialist to assist in the early design of your system to ensure that costs are accurate and justified by the business and not by your vendor.
About the author: Andrew McCreath is the virtualisation practice lead at GlassHouse Technologies (UK) Ltd., a global provider of IT infrastructure services. McCreath has more than 16 years of experience in infrastructure and management information systems. Prior to joining GlassHouse, McCreath managed multimillion dollar projects while employed at Accenture, Credit Suisse First Boston, Kimberly-Clark, Société Générale and EMC. He currently specialises in server virtualisation and data centre consolidation.
|
|
|
|
