The Definitive

Guide To Data
Classification
Data Classification For Data
Protection Success
2022 Edition
 The Definitive Guide To Data Classification

Table Of Contents
03 Introduction

04 Part One: What is Data Classification?

06 Part Two: Data Classification Myths

08 Part Three: Why Data Classification is Foundational

12 Part Four: The Resurgence of Data Classification

16 Part Five: How Do You Want to Classify Your Data?

21 Part Six: Selling Data Classification to the Business

27 Part Seven: Getting Successful with Data Classification

33 Part Eight: Fortra Data Classification & Protection

Fortra.com 2
 The Definitive Guide To Data Classification

Why Read This Guide?

There Are Two Types Of Companies: Those That Run On Data And Those That Will Run On Data

InfoSec professionals will perennially be challenged with more to do than time, budget, and staffing will allow. The most effective method to address this
is through prioritization, and in the case of your growing data, prioritization comes from data classification. In this guide you will learn what classification is,
why it is important, even foundational to data security, and much more.

How To Use This Guide

If You Are... Go To...

New to data classification Part One: What is Data Classification

Learning how data classification drives your data security strategy Part Three: Why Data Classification is Foundational

Trying to understand the different classification methods Part Five: How Do You Want to Classify Your Data

In need of speaking points for building internal support Part Six: Selling Data Classification to the Business

Fortra.com 3
 The Definitive Guide To Data Classification

Part One
What Is Data Classification?

Fortra.com 4
 The Definitive Guide To Data Classification

Data Classification
What: Data classification is the process of consistently categorizing How: There are a few key questions organizations need to ask to help
data, using visual and metadata labels, based on specific and pre- define classification categories. Answering these will guide your data
defined criteria so that data can be efficently and appropriately classification efforts and get the program started.
protected. • What are the data types? (structured vs unstructured)
• What data needs to be classified?
• Where is the sensitive data located?
• What are some examples of classification levels?
• How can data be protected and which controls should be used?
• Who has access to what data?

Before You Can Classify

Data discovery is closely aligned with classification; before you can
classify data you need to know what you have. Data discovery needs to
look at the endpoint, on network shares, in databases, and in the cloud.

Why: The need for classification can be driven by governance,

company compliance, regulatory requirements (GDPR, HIPAA, PCI,
CCPA and more), protection of intellectual property (IP), or perhaps
most importantly, by the need to simplify your security strategy
(more about that later).

Fortra.com 5
 The Definitive Guide To Data Classification

Part Two
Data Classification Myths

Fortra.com 6
 The Definitive Guide To Data Classification

3 Myths Of Data Classification

MYTH 1: MYTH 2: MYTH 3:
Long Time To Value. It's Too Complicated. It's Another Level Of Bureaucracy.
Automated classification drives insights from Many data classification projects get bogged Data classification can be an enabler
day one. Automation for both context and down by starting with overly complex and a way tov simplify data protection.
content brings order to all your sensitive classification schemes. When it comes to By understanding what portion of your
data; quickly and easily. classification more is not necessarily better; data is sensitive, resources are allocated
more may just be more complex. appropriately.
Data collection and visibility can continue
until the organization is prepared to PricewatershouseCoopers, Forrester, and Users understand what needs to be protected.
deploy and operationalize a policy. Even AWS all recommend starting with just Sensitive and regulated data is prioritized;
without a policy, insights from automated three categories. Starting with a simplified public data is given lower priority, or
data classification can drive security classification policy helps to get your destroyed, to eliminate future risk to its theft.
improvements program off the ground. If after deployment
more granular levels are needed, your
decision will be driven by data, or regulatory
requirements, not simply speculation.

Fortra.com 7
 The Definitive Guide To Data Classification

Part Three
Why Data Classification Is Foundational

Fortra.com 8
 The Definitive Guide To Data Classification

It's Easier To Manage The Data

Deluge With Classification
Organizations generate huge volumes of data. This comes as no
surprise, but what might be surprising is the accelerating volume
at which the data is being created. As an InfoSec professional
responsible for protecting digital data, you’re going to need a new
approach to stay ahead of the data deluge.

IDC estimates that the

Classification enables you to: digital universe is growing
• Avoid taking a "one size fits all" approach (inefficient!) at ~40% year over year.
• Avoid arbitrarily choosing what data to expend resources
protecting (risky!) (source: A Day in Data. IDC/Raconteur)

Fortra.com 9
 The Definitive Guide To Data Classification

10 Why Gartner Thinks Data

Classification Is Foundational
"To implement an effective data classification program, security and
risk management leaders tasked with data security must establish
a data classification program by shifting focus from user awareness
and training toward automation and the enrichment tools that
generate metadata."

"Data classification is vital as it is useful in supporting controls for data

security and governance such as data loss prevention (DLP), data
access governance and enterprise digital rights management (EDRM)."

(source: How to Succeed With Data Classification Using Modern Approaches, Published 25 March 2022, Ravisha Chugh, Bart Willemsen, Nader Henein)

Fortra.com 10
 The Definitive Guide To Data Classification

Why Forrester Thinks Data

Classification Is Foundational
Start From Data Classification
“Security & Risk (S&R) professionals must start from data classification
to build their data protection strategy.”

Understanding And Knowing Your Data Is The Foundation

“For many S&R pros, data security initiatives quickly zoom in on
controlling access to data or encrypting data. But many overlook that
understanding and knowing your data is the foundation for both
data security and privacy...”

If You Don't Know What You Have, You Can't Protect It

“If you don’t know what you have [data], where it is, and why you
have it, you can’t expect to apply the appropriate policies and
controls to protect it.”

(source: Rethinking Data Discovery and Data Classification Strategies, Forrester Research Inc., July 10, 2018, Heidi Shey)

Fortra.com 11
 The Definitive Guide To Data Classification

Part Four
The Resurgence Of Data Classification

Fortra.com 12
 The Definitive Guide To Data Classification

Classification Helps
Protect Against All Threats
The value to classification was once limited to protection from insider
threats. With the growth in outsider threats, classification takes on
a new importance. It provides the guidance for information security
professionals to allocate resources towards defending the crown
jewels against all threats.

Internal actors cause both malicious and unintentional data loss.

With a classification program in place, the mistyped email address in
a message with sensitive data is flagged. Files that are intentionally
being leaked are classified as sensitive and get the attention of
security solutions, such as Data Loss Prevention (DLP).

External actors often seek data that can be monetized.

Understanding which data within your organization has the greatest
value, and the greatest risk for theft, is where classification delivers
value. By understanding the greater potential impact of an attack
on sensitive data, advanced threat detection tools escalate alarms
accordingly to allow more immediate response.

Fortra.com 13
 The Definitive Guide To Data Classification

Big Data Is Driving Big

Classification Needs
Somewhere In Your Data Deluge Is:
40
• A CAD drawing of the next generation iPhone
ALL GLOBAL DATA IN ZETTABYTES
• Personal pictures 35
• M&A plans 1ZB = 1,126,000,000,000,000,000,000 BYTES
30
• An archived press release announcing your previous acquisition
• A quarterly earnings report in advance of reporting date 25

20

15

10

5
CAD CAD
0
PERSONAL PICTURES PERSONAL PICTURES

2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
M&A M&A

ARCHIVED PRESS RELEASE ARCHIVED PRESS RELEASE

EARNINGS REPORT EARNINGS REPORT

Restricted Internal Public

Fortra.com 14
 The Definitive Guide To Data Classification

Adoption Momentum

"72%
of security decision makers surveyed
said that they are implementing, have
implemented, or are expanding/upgrading
implementation of data classification.”

Just having a classification solution isn't always enough, read on to learn how to align
classification to your business needs.

(source: Forrester Analytics Business Technographics Security Survey, 2021)

Fortra.com 15
 The Definitive Guide To Data Classification

Part Five
How Do You Want To Classify Your Data?

Fortra.com 16
 The Definitive Guide To Data Classification

One Size Does Not Fit All

Choose Classification Methods Based On The Data Types
Most Important To Your Business

Combine privacy regulation adherence efforts with the security

classification initiatives. As information can be categorized by
nature or by type. Regardless, records should also be classified by
risk categories as to indicate the need for confidentiality, integrity
and availability.

(source: Hype Cycle for Data Management, 2021, Published 27 July

2021, By Philip Russom, Donald Feinberg)

Fortra.com 17
 The Definitive Guide To Data Classification

Data Classification Methods

Content-based classification inspects and interprets files looking
for sensitive information. Methods include fingerprinting and
regular expression.

Content-based answers “What is in the document?”

Context-based classification looks at application, location,

or creator among other variables as indicators of sensitive
information.

Context-based answers “How is the data being used?” “Who

is accessing it?” “Where are they moving it?” “When are they
accessing it?"

User-driven classification relies on manual, end-user selection.

User-driven relies on user knowledge and discretion at creation,

edit, or review to identify sensitive documents.

Fortra.com 18
 The Definitive Guide To Data Classification

Which Classification Method?

The decision around which classification method to use is usually a question of which to start with as opposed to picking just one. Each provides insight;
combining them provides greater security. Including context and content with a user-driven approach delivers the backstop needed to mitigate the
impact of misclassified data (either unintentionally or maliciously).

COMPLIANCE IP PROTECTION MIXED ENVIRONMENT USERS

Compliance data is often Intellectual property seldom Where a mix of regulated Data owners should know
structured and/or residing follows a pattern like a credit data and intellectual property their data best. A user-based
in predictable locations. card number. To address, this drive enterprise growth, classification approach allows
Leading with a contentbased context classification looks organizations looking to them to apply this knowledge
classification will provide the to other attributes to assign better understand and to improve classification
greatest ability to accurately classification. The application protect their data look to a accuracy.
classify PII, PHI, PCI, and used or the storage location are blended approach.
GDPR data. two ways IP can be classified to
support data protection.

Fortra.com 19
 The Definitive Guide To Data Classification

Collaborate And Combine

For Success
Gartner Recommendations

• To identify, tag and store all of an organization’s data, SRM leaders

and chief data officers (CDOs) should collaboratively architect and
use classification capabilities.

• Implement data classification as part of a data governance program.

• Use a combination of user-driven and automated data classification.

(source: Gartner Hype Cycle for Cyber and IT Risk Management, 19 July 2021)

Fortra.com 20
 The Definitive Guide To Data Classification

Part Six
Selling Data Classification
To The Business

Fortra.com 21
 The Definitive Guide To Data Classification

Data Classification Team

Data classification decisions can impact all employees. Who are the players within your organization you need to talk to and what do you communicate to them?

CIO & CISO BUSINESS UNIT LEADERS DATA CREATORS LEGAL/COMPLIANCE

The ultimate technical The P&L leaders who watch the The feet on the street; the Legal is there when things go
responsibility for data protection top (and bottom) line numbers knowledge workers that are wrong and data leaks. Often the
falls upon one, or both, of these of the business units. This role often writing the code, creating backstop in a data protection
roles. Where the CIO is running has a more immediate reason to the CAD documents, or drafting program, legal needs to
the IT operations, the CISO is support data classification – loss the M&A proposals. They are understand the scope of the
securing the IT operations. For of data in their business unit closest to the data and are sensitive data (exposure) and the
them to be effective they both could result in revenue impact, instrumental to any protection protection in place (mitigating
need to understand the sensitive fines, or both. program, it must serve its factors) to ensure the organization
data landscape. protective purpose without is properly managing the risk. Risk
• CIO: Classification guides Classification drives visibility and impeding business. is unavoidable in business, but
and simplifies IT infrastructure protection of both customer data which risks to accept needs to be a
investment decisions by (PII) and the product development Including the users in a calculated and conscious decision.
cataloging volume, location, and data (IP) that fuels growth. classification program
type of sensitive data. heightens awareness to the
• CISO: Classification highlights need to protect data and the
where to allocate the security negative repercussions if that
resources and can spot security data leaks.
gaps before they become
breaches.

Fortra.com 22
 The Definitive Guide To Data Classification

Classification "Quick Wins"

TIP
Get users involved early. Any change that requires workflow
modifications can be a source of friction. If your data classification
project involves user-driven classification (and not all do, some
rely wholly on automated data classification techniques), getting
the users on board ahead of the project means that when roll-out
happens they are educated, enabled, and understand the needs,
along with the benefits, in *their* terms.

Fortra.com 23
 The Definitive Guide To Data Classification

Positioning Data
Classification
Data Champions Executives
The data champions are those who have the most invested in the To a data intensive organization (something that most are becoming
data. The goal here is to ensure they understand: whether they realize it or not) protecting their data is paramount to
• What they are creating has value sustainable competitive advantage. They need to understand:
• The value is worth protecting from both internal and external • Classification can drive revenue growth by enabling secure
threats partnerships and growth initiatives
• They are an important piece of the protection • Classification can reduce spend by limiting the scope of data
needing protection and increasing the efficiency of existing
investments
• Classification can reduce risk by highlighting where sensitive data is
and where it is going

Fortra.com 24
 The Definitive Guide To Data Classification

Overcoming Objections
“We’ve gotten along just fine without it.” This passive message
is akin to saying “I’ve never needed insurance in the past,” and
reflects a misunderstanding of the importance of classification or a
misperception that it is only for more mature organizations. While
organizations can protect their data without classification, it comes
Building your data
at the expense of efficiency. protection strategy
• With classification, data loss prevention and advanced threat
on classification is the
protection have the insight to understand the difference between foundation needed for
regulated, internal only, and public data. This insight intelligently
elevates data risks based on the impact of a breach.
success.

• Without classification, data protection solutions, including data

loss prevention and advanced threat protection, will be prone
to higher false positives and false negatives, and alerts will be of
lower fidelity.

Fortra.com 25
 The Definitive Guide To Data Classification

More Justification
For Classification
"Data classification enables an effective and efficient prioritization
for data governance programs that span value, security, access,
usage, privacy, storage, ethics, quality and retention.”

“It is vital to security, privacy and data governance programs.

It also allows organizations to have the required knowledge
about the sensitivity of the data they process."

source: Gartner Hype Cycle for Cyber and IT Risk Management, 19 July 2021)

Fortra.com 26
 The Definitive Guide To Data Classification

Part Seven
Getting Successful With
Data Classification

Fortra.com 27
 The Definitive Guide To Data Classification

Data Protection Framework

Many organizations need help getting started. Forrester created a framework to guide you on this journey. Their “Data Security & Control Framework”
(figure below) breaks the problem of controlling and securing data into three steps: Define, Dissect, Defend. With these steps completed your
organizations better understands your data and can then allocate resources to more efficiently protect critical assets. At the top of their framework:
Discovery and Classification.

DEFINE: This involves data discovery and data classification.

DEFINE
Data discovery
DISSECT: This involves data intelligence (extracting information
about the data from the data, and using that information to protect
the data) and data analytics (analyzing data in near real-time to DISSECT
protect proactively toxic data). Data intelligence Data analytics

DEFEND: To defend your data, there are only four levers you can
DEFEND
pull — controlling access, inspecting data usage patterns for abuse,
Access InspectD ispose Kill
disposing of data when the organization no longer needs it or
“killing” data via encryption to devalue it in the event that it is stolen.

(source: A Strategic Guide For Controlling And Securing Your Data,

Forrester’s Data Security Control Framework by Heidi Shey January
19, 2021)

Fortra.com 28
 The Definitive Guide To Data Classification

Data Classification Process

You’ve bought in on a data classification program, what are the key elements to drive success?

Communicate to the leadership team how

classification can support increased revenue, reduced
expense, and reduced risk.

1. EXEC BUY-IN

Put in place technical and procedural Document the goals, objectives,

controls to enforce policies. 5. SOLUTIONS 2. POLICY and strategic intent behind the
classification projects.
OPT

LYZE
IMIZ

ANA
E

Find sensitive data - wherever it resides - Create guardrails around your program;
including endpoint, database, and cloud.
4. DISCOVERY 3. SCOPE clearly define what is in and out of scope.

Fortra.com 29
 The Definitive Guide To Data Classification

Your Classification Guideline

To be effective, your classification program needs a well defined policy. This includes the right number of categories and clear mapping of your data
to those categories. PricewaterhouseCoopers, Forrester, and AWS, among many security analysts and consultants, recommends you start with just
three categories: Public, Private, and Restricted. While simple classification might be where you start, it's highly likely it won't be where you end up.
From ever-increasing global data protection regulations, to adaptations for different end-user communities, it is important to implement a solution
that will allow for this future flexibility.

Below is an example policy matrix illustrating the document types, risks, and protective controls. (Click here for a blank template)

Public Private Restricted

Documents are acceptable for Documents are not to be Documents are subject to
public use without restrictions. distributed externally unless under compliance restrictions (PCI, HIPAA)
Definition specific conditions. and are not to be distributed
externally unless under specific
conditions.
Product datasheet, job postings. Strategic planning document, Customer database, payment
Example Document product roadmaps, CAD drawings. card information, health record
information.

None Loss of competitive advantage, Fines, customer churn, reputational

Repercussions If Leaked loss of brand equity, reputational damage.
damage.

N/A Education and awareness Education and awareness training,

training, file encryption, data automated encryption, data loss
Controls In Place
loss prevention, advanced threat prevention, advanced threat
protection, reporting and auditing. protection, reporting and auditing.

Fortra.com 30
 The Definitive Guide To Data Classification

Your Classification Template

Public Private Restricted

Definition

Example Document

Repercussions If Leaked

Controls In Place

Fortra.com 31
 The Definitive Guide To Data Classification

Data Classification
Guidance - Start Off Simple!
Resist the Urge to Expand the Classification
Schema Without Good Reasons

“There is no standard classification schema as datasets and

appetites for risk vary greatly across organizations. Many
successful deployments of data classification programs by
organizations focused on regulatory compliance or intellectual
property use a variation of the simple three-classification
approach to grouping data according to risk.”

(source: Gartner, How to Overcome Pitfalls in Data Classification Initiatives, 21 April 2020)

Fortra.com 32
 The Definitive Guide To Data Classification

Part Eight
Fortra Data Classification & Protection

Fortra.com 33
 The Definitive Guide To Data Classification

Fortra Data Protection

To protect your expanding and valuable pool of data from insider and outsider threats organizations need a data-centric plan.
Below is a 4 step framework to take control of, and protect, your knowledge assets and keep them protected without
impacting the speed of business.

Discovery - You need to know exactly where your

sensitive data is to protect it. This includes on laptops, 1DATA
2
DATA
Classification – Structure and organization for your
data enables your data security program and
desktops, and servers, but also in the cloud. DISCOVERY CLASSIFICATION
delivers more accurate protection.

4 3
Education & Enforcement – Provide real-time alerts for
Policies – Now that you know the Where and the
potentially risky behavior allowing users to self correct. If
What, it is time to define How you are going to
needed, implement data protection policies and ensure ENFORCEMENT POLICIES
protect it.
they are followed.

Fortra.com 34
 The Definitive Guide To Data Classification

Fortra Data Classification

Fortra data classification solutions enable classification via context, content, and user-based methods to cover the spectrum from fully automated to fully manual
classification.

Our data classification solutions, Titus and Boldon James, integrate into our full data protection suite offering, including DLP from Digital Guardian and DRM from
Vera. This integration, and the built-in automation, delivers a more accurate data protection program to limit false positives and false negatives.

By combining data discovery, data classification, policies, and enforcement, Fortra data classification solutions provide the comprehensive data protection
needed to stop data theft.

EXAMPLE METHODS

CONTENT USER CONTEXT

A database is scanned, and PCI regulated A new project requires creation of Detailed seismic studies of a newly-relevant
data is discovered and analyzed. Any multiple CAD files. At “save,” the data region for petroleum exploration are
outbound message is compared with owner self-selects these to be classified as stored on a designated server and created
this database fingerprint for a match. If “sensitive” intellectual property. When an using a specialized application. Context
found, the message can be encrypted, outbound communication contains these based classification sees files location and
quarantined, blocked, or logged. documents the message can be encrypted, application used; any message meeting
quarantined, blocked, or logged. specific file and application criteria can
be automatically encrypted, quarantined,
blocked, or logged.

Fortra.com 35
 The Definitive Guide To Data Classification

Automation Continuum
Automation drives repeatability and predictability, it also speeds implementation time. But it needs to be augmented with the knowledge of the data owners.
Fortra delivers classification options that cover the spectrum from fully automated to fully user-driven to match your organizations' needs.

• Automated context and content classification gets your program operational quickly and provides consistent results for more accurate data security and to
demonstrate compliance.
• User-driven classification incorporates the intimate knowledge and bigger-picture view data owners possess, delivering the accuracy and compliance
automation and AI cannot (yet).
• A blend of user-driven and automated provides the insights needed to scale securely and protect all your sensitive data.

Fully automated Partially automated Fully user-driven

Most DLP solutions require you to spend time Classify and tag based on Classify and tag based on User-driven classification relies on the data owner to
identifying and classifying your sensitive data before predefined context, such as predefined content. Content apply the tag to the document at creation, or after
protection starts. Upon installation, Fortra’s data file properties, file location, or inspection engine identifies modification.
classification proactively finds, classifies, and tags application used. patterns in files or databases
files. then applies classification
tags to them.

Fortra.com 36
 The Definitive Guide To Data Classification

Leading Data Protection From Fortra

Organizations rely on sensitive data to serve their customers or patients, fuel innovation, and grow. Security leaders need a way to find and understand that data,
then protect it from loss or theft while within their extended enterprise, and securely share it outside of their extended enterprise. Fortra leading data protection
offering combines data classification from Boldon James and Titus, with data loss prevention from Digital Guardian, and digital rights management from Vera to
deliver data protection throughout the entire data lifecycle.
• Data Discovery
• Data Classification
• Data Loss Prevention
• Managed Detection & Response
• Digital Rights Management
• Analytics
• Reporting
• System Management

Boldonjames Titus
Data Classification Data Classification

Digital Defence Vera

Vulnerability Management Digital Rights Management
and Penetration Testing Services

Fortra.com 37
 The Definitive Guide To Data Classification

The Definitive Guide To

Data Classification
2022 EDITION
QUESTIONS?
U.S. 800.328.1000
Outside U.S. +44(0)870 120 3148
[email protected]
www.Fortra.com
©2022 Fortra. All rights reserved.

Fortra.com 38
 About Fortra
Fortra is a cybersecurity company like no other. We're creating a simpler, stronger future for our customers.
Our trusted experts and portfolio of integrated, scalable solutions bring balance and control to organizations
around the world. We’re the positive changemakers and your relentless ally to provide peace of mind
through every step of your cybersecurity journey. Learn more at fortra.com.

© Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners. fta-corp-gd-1022-r1-79d