Do you know where your data
Where are the boundaries of what you used to call your “network?”
Though not the first priority in developing a sound IT Governance Program, you will eventually need to get around to making an inventory of your data. This process, if done correctly, usually starts with a redefinition of your Data Classification Policy, which we store in our Access Management Program.
This can, of course, be very complicated. But it does not have to be. A data classification matrix can be as simple as a list of data owners, the data they own, where the data resides, who has access to the data, and of course the Data Classification.
Having established where your data resides, we suggest you then start inventorying the “layers of security” protecting your critical data. Consider authentication, data labeling, anti-malware (both AVS and IDS), encryption, etc.
Incident response should then be based upon the TYPE of data at risk during an “incident.” The classification of an incident should refer to the classification of the data involved in the incident.
In other words, if somebody walks off with all the calendars in your lobby . . . . okay. Calendars are classified as public!