The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
Put Classified Data to Work in the Enterprise Without data classification, the mail servers and the development servers are the same. They will be subject to the same processes, including change control, security, disaster recovery, business continuity and service-level management. This is because without a data classification, the professionals that support the environment won't be able to differentiate between applications. The result is that both servers run the risk of being over- or undermanaged. Data classification can also be leveraged to limit the amount of documentation required to support an application. For instance, a change control policy can state that noncritical data require only limited oversight and do not require prior scheduling before a change is executed. This distinction would drastically reduce the amount of change control items that would be presented to a change control board for approval and scheduling. Another policy can state that noncritical systems are not part of a business continuity strategy due to their limited impact to the enterprise. Finally, it is possible to create an incident management policy that excludes noncritical systems from a severity-one classification for support. This would ensure that extraordinary support efforts are reserved for the applications that require a severity-one response. Server architecture configurations can be positively impacted by data classification as well. When a technologist knows the location of critical data and defines how the data will be managed, he or she can isolate all of the systems that house critical data to a single rack or, in the world of virtualization, a single host. Subsequently, greater security controls can be implemented in the critical environment, impacting only servers and users that require additional security controls. Finally, as technology trends continue to go green, the most environmentally responsible course of action is recycling unwanted equipment. If there is a risk of confidential or private data disclosure, the technology team might decide that the best course of action is to shred the drives that house confidential or private data to ensure that the information is destroyed. The rest of the drives can be sold and recycled, as the risk of a breach is very small. The only way this strategy can be implemented is if the technology staff knows the difference between critical data drives and everything else. Standards like ISO require independent review. In this case, the technology team must default to the most restrictive control; therefore, all of the drives must be managed as if they have confidential or private data on them. When data are classified, the distinctions can lead to better processes and more secure management of the enterprise. Even Proof is in the 62 Peer to Peer The Process To really understand what process evidence is all about, let's follow a sample log review control to its logical conclusion. In this scenario, each server has five logs — three related to the OS and two related to the application that resides on the server. Those five logs are reviewed every day, resulting in 1,825 individual pieces of evidence annually that prove the logs are reviewed. Now, add the number of servers to the equation. In a small firm, that could mean 20 servers, resulting in 36,500 pieces of evidence produced annually as proof that the logs are reviewed. But what if it is a large firm and there are 1,250 servers? The evidence requirements balloon to over two million pieces of evidence created every year to prove this control's existence. To complicate the matter, the control states that this particular review happens daily. That means that a large firm would only have 24 hours to cycle through the 1,250 servers. This control would require the resources of 45 full-time employees to review logs and nothing else. Now, let's leverage our newly