A data classification policy is fundamental to protecting an
organization's information assets, and sets up categories for governing the
release of
protecting corporate information by making all employees aware of the level of
sensitivity of each piece of information.
Operating without a data classification policy-the status
quo in almost all companies today-leaves most of these decisions in the hands
of individual workers. Naturally, employee decisions are largely based on
subjective factors, rather than on the sensitivity, criticality, and ignorant of
the possibility that in responding to a request for the information, they may be
putting it into the hands of an attacker.
The data classification policy sets forth guidelines for
classifying valuable information into one of several levels. With each data item
assigned a classification, employees can follow a set of data-handling
procedures to protect the company from inadvertent or careless release of
sensitive information. These procedures mitigate the possibility that employees
will be duped into revealing sensitive information to unauthorized persons.
Every employee must be trained on the corporate data
classification policy, including those who do not typically use computers or
corporate communications systems. Because every member of the corporate
workforce-including the cleaning crew, building guards, and copy-room staff,
as well as consultants, contractors and even interns-may have access to
sensitive information.
Management must assign an Information Owner to be
responsible for any information currently in use. Among other things, the
Information Owner is responsible for protecting the information assets.
Ordinarily, the Owner decides what level of classification to assign based on
the need to protect the information, periodically reassesses the classification
level assigned, and decides if any changes are needed. The Information Owner may
also delegate the responsibility of protecting the data to a Custodian or
Designee.
Note: The Internal category of information is often termed Sensitive by security personnel. I have chosen to use Internal because the term itself explains the intended audience. I have used the term Sensitive not as a security classification but as a convenient method of referring to Confidential, Private, and Internal information: put another way, Sensitive refers to any company information that is not specifically designated as Public. |
Classification categories
Information should separated into varying levels of classification based on
its sensitivity. Once a particular classification system is set up, it's an
expensive and time-consuming process to reclassify information into new
categories. In our example policy I chose four classification levels, which is
appropriate for most medium-to-large businesses. Depending on the number and
types of sensitive information, business may choose to add more categories to
further control specific types of information.
In smaller businesses, a three-level classification scheme
may be sufficient. Remember the more complex the classification scheme, the more
expense to the organization in training employees and enforcing the system.
Confidential. This category of information is the most
sensitive. Confidential information is intended for use only within the
organization. In most cases, it should only be shared with a very limited number
of people with an absolute need to know. The nature of Confidential information
is such that any unauthorized disclosure could seriously impact the company, its
shareholders, its business partners, and/or its customers. Items of Confidential
information generally fall into one of these categories:
-
Information concerning trade secrets, proprietary
source code, technical or functional specifications, or product information
that could be of advantage to a competitor.
-
Marketing and financial information not available to
the public.
-
Any other information that is vital to the operation of
the company such as
future business strategies.
Excerpted with permission from “The Art of Deception” by Kevin D. Mitnick and William L Simon