A basic data-classification plan may start with the data and provide a framework for grouping that data into two or more classification tiers. A three-tier method may include categories such as public data, private data, and proprietary and confidential data.
For example, schematics for the next-generation Strong-Bad 3000 cannery machine--which is capable of packaging potted meat at the rate of 3,000 CPMs (cans per minute) and could revolutionize the potted-meat industry--would be considered sensitive and valuable by the machine's maker. In our three-tier model, the data relating to these schematics would be classified as proprietary and confidential. In contrast, last year's sales brochures touting the aging Strong-Bad 325i models, available via the company Web site, would be classified as public data.
While this example is simplistic, the success of a classification effort is often determined by its simplicity. A four-tier model might introduce a tier between private and proprietary--after all, the more tiers, the more granular the organization's data-classification efforts can be. However, with that granularity comes added complexity, larger margin for error, and potentially higher costs associated with making the classification process a reality.
Let's move from data classification to asset classification. In this case, an asset might be a piece of data, a single system or a group of systems that perform a given business function. For example, all the data, servers and applications that comprise the payroll system might be viewed as a single asset (with multiple components). Or, depending on the classification policies, components might be rated/ranked differently. Asset rankings might also take into account less tangible factors, such as "visibility." For example, a public Web server may not contain critical data, but a defacement of the site could result in public embarrassment and a decrease in customer confidence. Regardless, how a given organization views its digital assets depends on defined policies and strategies and the organization's ability to execute on those strategies.
Unfortunately, many organizations complete their classification policies but fall flat on their faces when it comes to completing the classification process. According to both our own observations and Network Computing reader polls, most organizations have not even completed their data-classification efforts, much less mapped those classifications to IT assets, essentially removing the possibility of an "effortless" move to a practical asset-based risk ranking system.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
