Information classification

It is very important topic and needs some attention as It is part from your information security management programme/framework. Initially when I started to identify the security controls required for each information I found it is subjective rather than objective opinion. I started to read more about the matter and I found that we need to have information security classification scheme in place which will extreme to make the judgement objective.

Information classification is the conscious decision to assign a level of sensitivity to information as it is being created, amended, enhanced, stored, or transmitted. The classification of the information should then determine the extent to which the information needs to be controlled / secured and is also indicative of its value in terms of Business Assets.

May be we need to know why we need to classify the information. Information classification helps us to know needed security controls and processes, Protecting less value information or public document/information isn’t like protecting confidential information.

Information classification challenges:

1- Difficulty to establish a practical information classification scheme.

2- Lack of guidance and best practice for communicating the level of confidentiality and integrity.

3- Difficulty to identify security controls for classified information.

4- Lack of understanding about how to run information classification programme.

What we need to do:

1- Develop information classification scheme

2- How to communicate built information classification scheme.

3- Build security control matrix based on information classification scheme.

4- Measure Information classification scheme effectiveness and efficiency.

First we need some sort of information classification scheme and currently I have the following classification as suggested from ISF survey:

Public, Internal, Restricted and Secret

But which factors we can use to determine accurate information classification:

• Level of confidentiality.
• Legal & regularity requirement.
• Changes to the content over time.

Second start to make this classification model in use, by putting label on the document shows classification level of the document, build information classification awareness programme and make sure that SLA contains information classification responsibilities and accountabilities.

Third start to build security control matrix for each stage to the information, such as in the creation, processing, Transmitting, Storage and disposing of the information.

References:

1) Information Security Forum

2) Employee's Guide to Security Responsibilities

3) Security Education, Awareness, and Training from Theory to Practice , By C A Roper, Joseph J.