Security Requires Information Classification
All companies should take steps to protect the integrity and confidentiality of their information assets. An information classification system is one big step toward accomplishing this goal. If you are not sure that an information classification system is needed in your organization, consider the following:
- Government regulations such as Health Insurance Portability and Accountability Acts (HIPAA) and the Gramm-Leach-Bliley Act hold corporations accountable for the privacy, integrity, and security of information.
- Industry is more dependent than ever on the Internet. Many organizations use it for critical and sensitive communications.
- Identity theft and loss of personal information is at an all-time reported high.
An information classification system will help meet these risks. It will also help the organization determine what information is most critical and how its release may damage or affect the organization. Finally, it demonstrates the organization's commitment to security.
Now, if you're wondering if there is more than one way to categorize information, the answer is yes. The governmental information classification system is one widely used method. Another is the commercial information classification system.
Governmental Information Classification System
The governmental system is most concerned with protecting the confidentiality of information; therefore, it is divided into categories of Unclassified, Confidential, Secret, and Top Secret.
- Unclassified Information is not sensitive and need not be protected. Its loss or disclosure would not cause damage.
- Confidential Its disclosure could cause damage to national security and should be safeguarded against disclosure.
- Secret Its disclosure would be expected to cause serious damage to national security and may divulge significant scientific or technological developments.
- Top Secret Its disclosure would cause grave damage to national security. This information requires the highest level of control.
Note
Information classifications and access control are closely related. A good example of this can be seen by examining the Bell-LaPadula model. This access control model was developed out of the U.S. Department of Defense multilevel security policy. It's considered a need-to-know confidentiality model.
Commercial Information Classification System
The nongovernmental private sector also has established information classification standards. These standards address integrity, availability, and confidentiality. The commercial system is categorized as public, sensitive, private, and confidential.
- Public Similar to unclassified information in that its disclosure or release would cause no damage to the corporation.
- Sensitive This information requires controls to prevent its release to unauthorized parties. Damage could result from its loss of confidentiality or its loss of integrity.
- Private This category of restricted information is considered personal in nature and might include medical records or human resource information.
- Confidential This is the most sensitive rating. This is the information that keeps a company competitive. Not only is this information for internal use only, but its release or alteration could seriously affect or damage the corporation.
Note
Access control models such as Clark-Wilson and Biba more closely align with commercial information classification systems because they are focused on integrity.
Classification Criteria
After a decision has been reached to implement an information classification system, you will need to develop some type of criteria to determine how to categorize your information. Following are some of the items an organization will want to consider to determine what information goes into which category:
- Laws
- Useful life of data
- Value
- Age
- Damage of disclosure
- Damage of modification
Even with the data placed into its proper category, there will still need to be controls to prevent the loss of integrity and the confidentiality of the information. The seven steps shown next can help ensure that there is the infrastructure needed to protect the information.
|
1. |
Identify the administrator or custodian who will be in charge of maintaining the data.
|
|
2. |
Specify the criteria that will be used to identify how the data will be classified and labeled.
|
|
3. |
The data owner must indicate and acknowledge the classification of the data.
|
|
4. |
Specify and document any exceptions that are allowed to the classification policy.
|
|
5. |
Indicate the security controls that will be implemented to protect each classification level.
|
|
6. |
Specify the end-of-life (EOF) procedures for declassifying the information and procedures for transferring custody of the information to another entity.
|
|
7. |
Integrate these issues into an employee awareness program so that individuals understand and acknowledge the classification controls.
|
Classification is one big step toward securing your information assets; however, you'll also need a policy framework to further categorize and manage the documentation system. This is discussed next.