Note: this article is Part 1 of 3. Part 2 is available here, and Part 3 is available here.
One of the most challenging aspects of Knowledge Management (KM) is knowing what to share, how to share it, and with whom. When organizations are fairly mature in terms of their experience and comfort with knowledge management, such issues become second nature. Yet particularly for organizations just starting out on the KM journey, it can be challenging to shift from a primarily “closed” environment to one where internal knowledge sharing is the norm.
In order to help staff members understand what they can share, how to share it, and with whom, it is useful to establish and rely on an organization-wide data classification policy — which is a central component of a good information security strategy. Data classification policies define:
- The roles and responsibilities for data owners
- The broad categories or classifications of data that is created, collected, or maintained by the organization
- Guidelines for protecting each classification of data
For these policies to be effective, they must be approved and endorsed by a senior management team and reviewed and revised on a regular basis. In addition, it is imperative that staff follow the rules set forth by such policies.
Even though we refer to these policies as “Data Classification,” such policies cover data, information, and knowledge. Data is the number of chocolate chips in the bag. Information is the cookie recipe printed on the back. Knowledge is what your grandmother uses to make the best cookies that you’ve ever tasted. While data, information, and knowledge are quite different, it is best to treat them the same when developing your data classification policy. Applying different policies, procedures, and technical controls to each will cause confusion and make the process of classification much more difficult. To this end, we suggest by classifying the data elements themselves, and then applying those principles to the information and knowledge assets in your organization. (Read more about the differences between data, information, and knowledge.)
The specifics of data classification policies are dramatically different from one organization to the next. They should be tied to each organization’s sector, industry, mission, structure, and culture. While the details of each policy may be unique, the basic elements of successful policies are consistent.
Roles and Responsibilities for Managing Organizational Data
First, policies typically define the roles and responsibilities associated with managing organizational data. Large organizations sometimes break down this work into three separate roles: data owners, data stewards, and data guardians.
Data owners are usually members of senior management who are ultimately responsible for the data and information being collected, curated, and maintained by his/her division — for instance, an HR Director. One of the key aspects of this role is classifying data, which we will cover in Part 2 of this series.
Data stewards (sometimes referred to as data curators) are usually senior members of departments; they are the staff members who are tasked with ensuring that the data meets the needs of the organization, monitoring the use and integrity of a particular family of data.
Data guardians are technical in nature and are usually housed in IT or, in larger organizations, in an Information Security Office (ISO). Data guardians are responsible for maintaining and backing up the systems, databases, and servers storing organizational data. In addition, this role is responsible for the technical deployment of all of the rules set forth by data owners and for ensuring that the rules applied within systems are working.
In Part Two, we’ll take a closer look at the types of classifications that can be applied to institutional data.