End User Driven Security
How Classification Labels Enable End-User Security Awareness
As much as we’d like it to, technology simply can’t protect our data 100 percent of the time. When it’s in databases, or travelling over a network, data can be encrypted, or can be protected with strict access controls. However, at some point in time, most of our business processes involve documents such as reports, spreadsheets, presentations and emails. Whenever we put information into these kinds of portable formats, it becomes harder to protect with technology. Applying classification labels to documents when they are created enables a level of security awareness among users. This extends our security policies into the realm of human information exchanges (as opposed to electronic exchanges between systems).
While the big picture view of security awareness and data classification may not be obvious, it’s worthwhile looking at the parallels between automated and manual information exchanges to appreciate the critical elements on the human side.
Enforcing access control policies in electronic and manual business processes
Whether we are dealing with automated processes or manual paper trails, our security policies form the foundation of our information protection framework. When new systems are deployed, they must be configured to meet, as closely as possible, the spirit of the organization’s security policies. Similarly, the procedures used by employees to manage their daily workflows should also align with the approved security policies.
For electronic systems to enforce access control policies, information must be either highly organized, so that software components can identify its sensitivity through context or location (as in a database, or in special folder structures); or it must be tagged with some attributes (such as metadata), that tells software how it should be handled, from a security point of view.
When documents or messages are created and distributed to humans, what is it that tells us how we should be handling them and who should be able to access them?
Just as in the automated processes, we can apply rules in a contextual way, depending on where the documents or messages are located. But this is not easy to do. Nor is it reliable, since people might forget the rules. Moreover, it is very easy to copy or move self-contained documents – whether it’s done electronically (as in email or drag and drop actions); or manually, (as in printed documents, carried from office to office). This might happen accidentally, or intentionally.
As a result, since data such as documents and email messages are so portable, the only way we can be sure that people know the rules for properly securing them is through labels and markings embedded within the visible text of the document. Without clear security labels, humans cannot be expected to treat documents consistently or reliably, with respect to security policies.
From document creation through handling by employees, data classification is closely tied to security awareness
Of course, having a data classification convention within the organization doesn’t guarantee that people will use it properly. Without some mechanisms to follow up and provide feedback to employees when they misuse or ignore the conventions, the risks of data losses are not likely to be reduced. This is especially true, if Content Owners are not held accountable for applying proper data classifications to the documents they create, and if Knowledge Workers are not held accountable for handling documents according to their labels and markings.
Content Owners who create documents must always be thinking of the security policies that apply to their data. They also need to consider how the Knowledge Workers who will handle those documents throughout their lifecycle should enforce those policies. Providing guidance on distribution, for example, can help employees in understanding the allowed movements of a document.
When employees are trained and required to recognize and respect document labels and markings, they inherently become more aware of security. They must also be made aware of the consequences of violating security policies. This can help maintain a level of attentiveness around how other employees handle information, resulting in a lower risk of data loss.
In the end, a practical strategy for maintaining the integrity of the human document handling process can be one of: (a) informing employees as soon as possible when they are not handling information securely, (b) determining what they can do to improve security (without making security a barrier to productivity) and (c) educating them on how using safeguards properly helps with Data Loss Prevention across the organization.
How TITUS Classification solutions can guide users to enforce policies on the human side
TITUS Classification solutions are specially designed to guide Content Owners and Knowledge Workers within the context of their workflows.
Content Owners are guided through the process of selecting and applying data classification labels to the documents and messages they create. Dialogs with predefined selection options force the Content Owner to consider the relevant policies when they save the document. This ensures that metadata is applied consistently and reliably to all types of MS Office data. It can also provide immediate feedback if Content Owners attempt to classify documents in ways that violate the security policies.
As Content Owners are consistently guided through the process of selecting classification options, they can begin to build a mental map of the organization’s security landscape, making the more aware of which types of documents are most sensitive, and what the handling implications are for different data classifications.
Subsequently, the resulting document labels and markings guide Knowledge Workers by clearly specifying the sensitivity of the information, and how they are expected to protect it. The format of the markings can be tailored to match the organization’s standards, and can reflect complex criteria for classification, as well as label visibility and format. Once again, feedback can be provided to Knowledge Workers who attempt to transfer documents in ways that are not allowed by the security policies.
With TITUS Classification solutions, human information exchanges can be protected more completely through persistent, document-specific guidance that communicates the applicable security policies, explicitly and at all times. Employees can also be educated on how to handle documents securely. The resulting workflows will then reflect the spirit of the security policies.
Does your organization use data classification as a way to improve security awareness? If so, let us know which approaches you’ve seen that can help others who are struggling with similar issues.
If you’d like more information on how the TITUS products can help implement document classification and labelling to improve Security Awareness and Data Loss Prevention (DLP), please use the coordinates on our Contact Us page to let us know.