A Botanist's Guide to Data: Alternative View of Information Security

Acknowledging that information lives, grows and dies can help a company focus its security and business continuity efforts in the right places. Because data, as you know, has a life all of its own.

By Sarah D. Scalet

October 01, 2006 — CSO —

SEED

Someone gets an idea;

something happens.

GERMINATION

Data starts to grow. It can sprout either in a structured place, such as an ERP system—the orderly English gardens of the information ecosystem—or in the wily and unstructured jungles of e-mail, instant messaging, word processing and spreadsheet software.

STEMS AND ROOTS

Information takes on its defining characteristics. Consider three main criteria for identifying its genus and species:

1. Criticality

How important is the information? Is it a small edging plant, or an oak tree that keeps down air-conditioning expenses and houses birds? Would losing it affect anyone's health and safety, the environment, the company's finances or corporate reputation? All the information on your corporate systems can be ranked. (Well, there might be a few weeds.)

- Low

- Moderate

- Significant

- Mission-critical

2. Sensitivity

How carefully must the information be tended? Can it grow anywhere, or is it fussy about moisture or prone to infestation? Governments often have official and elaborate hierarchies for classifying information, but corporations may break things down more simply. For example:

Public information—Information that's meant to be readily available, such as press releases or recommendations on how to purchase goods and services.

Business information—This might include daily transactions, training materials, policy manuals and telephone directories—anything that isn't meant for the public but that doesn't need special protection, either.

Confidential information—The bulk of information that needs to be protected, such as large financial transactions, regulatory actions, employee evaluations, unpublished market research or internal audit reports.

Classified information—Reserved for the most sensitive information, which requires more time-consuming and expensive protection. It might include personnel information (with salaries), corporate-level strategic plans, passwords, trade secrets, and information about mergers and acquisitions.

3. Regulatory implications

Think of this as the zoning ordinances. What can you grow in the front yard, and where can you plant trees? Are there laws and regulations that add to the information's import? Consider local, state and federal requirements that will affect how you care for and prune the data and whether you hand out cuttings to the neighbors.

FLOWERS AND SEEDS

Now your data enters its useful stage of life. It might seed new business plans, attract customers or produce revenue. The classification helps determine your gardening style. Perhaps classified information should always be encrypted, and mission-critical information is constantly backed up.

Remember, as the information grows, it continues to change shape. For instance, the details of a company's annual report may be confidential or even classified at first, but once it's released to shareholders, it's public information.

MATURITY

The growing phase ends, but the plant remains. Once it no longer serves a business purpose, consider retention requirements. The most important records may need to become part of the fossil record. Most, however, will have a period of decline—document retention—measured in years.