I’m going to step out on a limb here and contradict what others have been saying about data classification.  Data classification is not dead!

PCI DSS Requirement 9.7.1 says, “Classify the media so it can be identified as confidential.”  This is in reference to distribution of electronic media (i.e. backup tapes).  The previous wording was to “Label media…” but we knew what this meant and didn’t all go out buying label guns to stock along side the duct tape we already had.

Data classification + change control = a great way to get a handle on global/enterprise data access and contain the spread of cardholder data.  I think this is the congruence with what Rich Mogull says on his Securosis blog.  You do not need to meta-tag ever data element, but there should be some process to classify your data.

More importantly you need a way to alert others who are accessing that sensitive data that they need to (1) contact the regulatory compliance person for that group or (2) take  the necessary action to protect how they are storing it that is in-line with corporate and regulatory requirements.  Setting up an initial classification system is only good until the next change control where someone you never thought would access your cardholder data now can.  It was Michael Cook of Wal-Mart who said, “our perspective is, we are always one chance control event away from being non-compliant.”  This can be taken in many different contexts because it can apply to many different contexts.  Having a solid change control program that is tied into your data classification system is critical.

Popularity: 23% [?]