Thursday, 10 May 2007

Data ownership

I read Rob Newby's post about "data classification" with interest as the implementation of such a process has been on my "to do" list for a while. To paraphase my comment to him, "I think Data Classification is one of the fundamental first steps in a good InfoSec programme". The point is, until you know how important the data is, how long it needs protecting for and who should have access to it it is impossible to get the data security environment set up correctly.

And therefore, protect your data adequately.

So, on to my particular issue. I have discussed data classification schemes in the past within The Company and not had much interest. Despite using the obvious scare mongering tactics and some pretty internally high profile snafus, no one really gave a preverbial.

So, how do I make people take notice?

Well, a while ago, I found out that our directory access control settings were all over the place. People had access to stuff they didn't need and in some cases, didn't even know about. After investigation, it appears that to be given access permissions to a certain directory, you just had to "fill in a form". The process of authorisation didn't really exist.

Although strictly speaking this isn't "data classification", it is linked.

It sparked a debate where I suggested that the IT department should review the process of assiging access permissions and improve it. They misunderstood and said it was not their responsibility to decide who has access to what. Of course it isn't, but they have a responsibility to ensure that the requests are properly authorised and that the environment is maintained correctly.

So, where are we now? Well, The Service Delivery Manager is involved and we have agreed to raise it at the next IT User Group Meeting with a view to getting buy-in from the business.

Here lies the core issue. In previous discussions, it's been a case of "it's not my responsibility" from both IT and the business units. The process of breaking that down is one of enlightenment. Once both "sides" understand where they fit into the whole picture, they "should" agree to take ownership a lot easier.

Now to the link between "data classification" and "access control". Once the business units have accepted responsibility for specifying who can access what directories / folders, it should be a far easier "sell" to get them to accept responsibility for determining who should see what specific data. That being true, the subject of "data classification" springs up, as if by magic!!!!

Posted by Andrew Mason at 15:39

Labels: , ,

Subscribe to: Comment Feed (RSS)