Missing: Data Classification
Picked Last Again
Data Classification is generally missing from many Information Security programs, unfortunately. The growth and maturity of most security programs is typically organic and follows in the wake of the growth of the business itself. This organic growth naturally results in less mature programs remaining reactive for many years, focusing on the deployment of controls to help protect business-critical data from being breached.
So, unsurprisingly, Data Classification isn't generally picked first when assembling a team of top security program components. Organically grown programs tend to stack their lineups with heavy-hitting controls like VPNs, backup solutions, MFA, and EDRs, which are all important components for sure.
Program Measurements
Measuring an organization's security program boils down to three (3) primary focus areas:
- Program Maturity - Does the program include all of the components that it should?
- Organizational Effectiveness - How effectively are those components protecting business-critical data?
- Business Risk - What is the likelihood that business-critical data becomes breached or unavailable, and what are the financial ramifications if this happens?
The above list is not a knock on Compliance, which is a crucial component for many industries. It is generally agreed upon in infosec circles that the best way to achieve compliance is to focus more on the security components of the program and less on complying to specific frameworks. Compliance being the result of a strong security-focused program.
Maturity and Risk are commonly measured in most organizations who take the protection of business-critical data seriously. Effectiveness is less commonly measured in both organically grown as well as highly mature security programs. I have several hypotheses as to why this is generally the case, but that can be for a different blog post.
Organizational effectiveness can be measured many ways. One example of measuring effectiveness is using a framework like MITRE ATT&CK® to map the current tools in an organization's security stack to ATT&CK's data sources and components that can detect the known attack techniques documented in the framework. That being said, just because a tool that can detect certain attack techniques is present in an environment, it doesn't guarantee that those attack techniques will be detected, making it crucial to understand how well the tool has been deployed and is actively maintained to better measure its effectiveness.
This type of effectiveness measuring has been well documented across TrustedSec blogs and webinars (see Attack Path Effectiveness); however, it is not the only valuable measurement of effectiveness, and circles us back to Data Classification.
Data Classification Applications
Data Classification is both a simple concept and a foundational aspect of Information Security and Risk Management. It is crucial in the identification of business-critical systems and their associated RTOs and RPOs. As organically grown security programs mature and become better aligned with business needs and priorities, risk analysis that looks at the likelihood of breaches and resulting financial impacts becomes much more important. But 'impact' can be difficult to gauge without the application of Data Classification.
The functional aspect of measuring impact is to better understand the expected financial losses if business-critical systems are breached or fail. This process typically consists of looking at both the classification of the data each system handles (PII, CHD, PHI, intellectual property, etc.) and at per-system organizational loss (e.g. How much revenue does the organization lose if this system becomes unavailable).
While the former is generally a simple exercise for an organization to walk through, critical system mapping to financial losses can be much more complicated. A mature Risk Management program is crucial to helping businesses make the best decisions through an understanding of the ramifications of technical issues, and requires a mature critical system mapping, including system owners, and associated revenue.
Saying the Hard Part Out Loud
Critical systems are high-level constructs that may have many supporting assets. Mapping the supporting assets of any critical system relies upon another foundational component of a security program that is also generally overlooked: Inventories. Mature inventory programs must apply the overarching data classification and system criticalities of their parent systems.
A mature Data Classification program that includes critical system and asset mapping can be used in many ways that help improve organizational effectiveness. One example is vulnerability management, which can be challenging especially in large enterprises. Assets that support critical systems can be given higher weights when scanning for vulnerabilities, allowing teams to better prioritize remediation efforts when the latest critical severity vulnerability is discovered throughout an ecosystem and affects the higher-level critical systems.
Incident Response is another example of a security program component that becomes enhanced from the application of Data Classification. The same mature Data Classification program above can be used to prioritize recovery efforts in the event of a large-scale breach like ransomware. The critical systems responsible for much of the organization's revenue should be prioritized and recovered before any other systems once the root cause or causes of the breach have been determined.
Similarly, Disaster Recovery and Business Continuity Planning practice exercises benefit greatly from the prioritization of business-critical systems and their supporting assets.
These are just a few examples of how organizations can improve their organizational effectiveness through the application of a mature Data Classification program, a severely overlooked component of Information Security programs across all industries and verticals.
Teaser
Hopefully this article has planted a seed in the minds of those who may not have taken Data Classification seriously as a star player in an information security program. But where do we go from here? In Part 2 of this exploration, we'll look at how organizations can functionally apply Data Classification from a high-level policy to the crucial component of vital security program domains that it truly is.