Information Classification Characteristics
4/06/2012 Article
I wrote about UK Document Security Classifications a few days ago and I almost wish I hadn’t bothered as it’s now the chapter that I am reading for my studies. This is going to be a bit more in depth and will describe how businesses can implement Information Classification.
What is Information Classification?
It is a process in which organisations assess the data that they hold and the level of protection it should be given. Organisations usually classify information in terms of confidentiality – i.e. who is granted access to see it.
Issues with Information Classification
One of the biggest problems that any business is going to have when initiating an Information Classification Program is the requirement for a culture shift. In addition, once an Information Classification program is in action its relatively easy to maintain. Similarly, getting it there in the first place is a hefty chunk of work and requires change. You will always find individuals who are reticent and/or resistant towards change as such, with a large change like this one can be, it can take just as much work getting the organisations ethos where it needs to be.
Steps for Establishing an Information Classification Program
I actually disagree with ISC2 on the next point. According to the Common Body of Knowledge for the CISSP exam, to establish an Information Classification Program you should follow these steps:
- Determine information classification program objectives
- Establish organisational support
- Develop a policy and supporting procedures
- Establish a process about flows and procedures
- Develop tools to support the process
- Identify process or application owners
- Identify information owners and delegates
- Distribute standard templates
- Classify information and applications
- Develop auditing procedures
- Load it into a central repository
- Train users
- Periodically review and update information classifications
Point 6 and 7 are way too late, the information and process owners are instrumental in this whole process and would more obviously belong immediately before point 3. I assume this must just be a mistake because I can’t think of any reason why they would come after the development of policies and procedures etc.
In Organisations
Unlike Governments the classifications of information in organisations are entirely dependant on the organisation. They could be numerically or alphabetically denoted. However its arranged, they tend to hover round the same meanings:
- Public
- Internal Use Only
- Confidential
- Restricted
Public – also known as unrestricted, for any ones eyes.
Internal Use Only – Not for competitors and thereby the public. Not restricted internally
Confidential – Not for the public as would be damaging, restricted to primary user groups to help prevent leakage
Restricted – Would be damaging internally and externally therefore highly restricted on a need to know basis
It’s important to note a couple of bits and pieces. This is a program, not a project. Projects have an end, Information Classification does not as there will constantly be more information generated. Where more than one classification of information is stored should have the “highest common denominator” as its designation. Information Classification Assurance is the process of testing that the program is working, A good rule of thumb is to periodically carry out a test to check that it works.
Learn how YGHT can help you increase your cybersecurity
