One of the most challenging aspects of knowledge management (KM) is knowing what to share, how to share it, and with whom. For organizations mature in their KM practices, these issues become second nature. However, for those just starting out, it can be difficult to shift from a “closed” environment to one that encourages internal knowledge sharing.
To address this, it is useful to establish and rely on an organization-wide data classification policy—a central component of a robust information security strategy. Data classification policies define:
- The roles and responsibilities for data owners
- The broad categories or classifications of data that are created, collected, or maintained by the organization
- Guidelines for protecting each classification of data
For these policies to be effective, they must be approved and endorsed by senior management and reviewed regularly. It is essential that staff members follow the rules set forth by such policies.
Even though these are referred to as “data classification” policies, they cover data, information, and knowledge. Data is the number of chocolate chips in the bag. Information is the cookie recipe printed on the back. Knowledge is what your grandmother uses to make the best cookies you’ve ever tasted. While data, information, and knowledge are quite different, it is best to treat them the same when developing your data classification policy. Applying different policies, procedures, and technical controls to each will cause confusion and complicate the classification process. It is best to classify data elements first and then apply those principles to the information and knowledge assets in your organization.
The specifics of data classification policies differ from organization to organization. They should be tied to each organization’s sector, industry, mission, structure, and culture. While the details vary, the basic elements of successful policies are consistent.
Roles and Responsibilities for Managing Organizational Data
Policies typically define the roles and responsibilities associated with managing organizational data. Large organizations sometimes delineate these roles as data owners, data stewards, and data guardians.
- Data owners: Generally senior management members who are ultimately responsible for data and information collected, curated, and maintained by their division, such as an HR Director. A key aspect of this role is classifying data.
- Data stewards (sometimes called data curators): Usually senior members of departments responsible for ensuring that data meets the organization’s needs, and for monitoring the use and integrity of a particular family of data.
- Data guardians: Technical roles, usually in IT or Information Security. Responsible for maintaining and backing up the systems, databases, and servers that store organizational data. They also handle the technical implementation of rules set by data owners and ensure that these rules are enforced within systems.
In Part Two, we’ll take a closer look at the types of classifications that can be applied to institutional data.
