IT Security Strategy: Grouping Your Data

Today’s IT security strategies should be as flexible as the business needs, while still maintaining the proper measure of security protection and control. Security policy needs to reflect who will see and use the use the data. Filters can help manage data taxonomy while access control will allow new technologies to be added in to your environment for collaboration, while remaining secure. Change control and configuration management can also help.

Grouping Your Data

Creating a taxonomy is an important part of data governance. The following are some suggested classifications:

Document Type: Is it a project plan, a contract, a specification, an answer to a request for proposal, a price quote, a memo, etc.?

Document Format: .doc, .xls, .mp3, .mov, .pdf, etc.

Owner: If questions arise about a particular document type or its contents, the owner should be able to tell you everything there is to know about it.

Sensitivity: Is the data public, public within a limited scope (specific client information), internal only (confidential business strategy plans), internal within a limited scope (employee salary information or social security numbers), or does it contain other information that’s unique to an individual (such as passwords)?

Access Control: What users and groups should have access to this information?

Critical Level: Is the information business-critical, semi-critical or not at all critical? Could your business survive if the data were lost?

Access Frequency: How often will the people who need this information actually access it?

Retention Length: How long do you want to keep the data? How long do you have to keep it (federal mandates or legal liabilities)? How quickly should you get rid of information such as temporary files, information placed in a file-exchange location or e-mail?

Scott E. Christiansen is the chief security officer at Leo A Daly, an architectural and engineering firm in Omaha, Neb.