Classifying information is a basic requirement of any information security framework. This, of course, is sound logic. If you don’t know what the value of the information is, you will not be able to handle it appropriately. The problem is not in the requirement but in the way it is implemented...
To understand the root of the problem, we need to go back in time for a bit. Information classification was a problem long before standard wielding consultants (like yours truly) came along and declared that all information should be classified. Governments and military establishments were grappling with the problem of classifying and handling information. They dealt with state secrets that, if revealed, would probably cause a nuclear war. Hence, they built a system of classification. This system revolved around the risk of disclosure, alteration of destruction of that piece of information. ’Top Secret’ meant that the information could cause a grave danger to the nation. This wikimedia image
sums it up quite well. ‘Secret’ meant danger, 'Top Secret' meant ‘grave danger’, and so on.
You required explicit written authorisation to be privy to ‘Top Secret’ or ‘Secret’ information and there were detailed guidelines on how to handle this type of information. “If you get caught with a ‘top secret’ document in your possession, burn the document and swallow the ash”, etc. This worked perfectly in the business of national secrets.
The corporate world has merely adapted the same classification scheme that was so painstakingly developed by the military. Definitions like “Disclosure of this information can cause grave damage to the organisation if disclosed.”, Or “Significant risk to the organisation on the disclosure, alteration or destruction of data” came into being. This sort of classification, while useful for government agencies, proves quite ineffective in other situations.
Imagine that you are making a presentation to a customer about how your company can help them in increasing their sales. If such information were disclosed, would it cause a ‘grave’ damage to your business? Is it a ‘significant risk’? What about the travel vouchers that you submit? Would disclosure of your travel spending cause a ‘moderate’ level of risk to the organisation? In this case, you would do exactly like any other person - don’t give the document any sort of classification at all. Or worse, give it a rating of ‘confidential’ and forget about it. Also, since there are pesky auditors wandering the aisles, you drag all your data and put it into a folder titled ‘Confidential’. There. Done and dusted.
This isn’t how corporate information classification should work!!
Nations will, most probably, not go to war if our ’Our key differentiators’ document become public. However, it could significantly alter your competitor’s sales pitch, making our 5 year plan ineffective.
What we require is a complete rethink of how information should be classified in the corporate world. We really need to think if any document within the organisation would really cause a ‘grave danger to the existence’ of that organisation. Information classification within organisations should be simple, easily understood and implementable.
A really nice and simple way to classify information is the ‘Traffic Light Protocol” for sharing information. I wonder why most organisations do not take this as a base for their information classification.
The biggest advantage of adapting this method to classify information is its intuitiveness. Everyone knows that red signifies danger. So, a document classified ‘Red’ means it is dangerous to share. See? Simple. Here is a table of what I think is a good classification scheme based on the traffic light protocol.
||Type of Data
- Information that could potentially cause significant impact to the share value of the business (M&A plans, R&D initiatives, etc.)
- If this is a document, the first page should mention the names of individuals who are allowed to have access to it.
- This can only be emailed if it is password protected with 256 bit encryption.
- Approval from the CEO for sharing this data, etc.
- Information under data privacy laws
- Information that needs to be protected under contractual confidentiality agreements
- If this is in a document, the name of the individual / group of people who are authorised to have access to it shall be specified.
- If this information is in an application, role based access control should be defined for individuals who can access this information.
- Information that needs to be sent outside the organisation, but controlled (proposals, service agreements, etc.)
- A DRM should be deployed to track this information.
- Identifying named individuals outside the organisation who can have access to this information.
|Green / Not mentioned
- Information that can be distributed freely subject to copyrights
- All public information that the company wishes to share.
Imagine this classification being used in day-to-day business operations.
“No. That data is Amber. If you need to use it to test your new application, I will have to mask some areas.”
“Dear Sir, Kindly find attached the proposal. Please note that this is a blue document and for use by yourself and Mr. X only”
“Please make this a red document. We cannot afford anyone other than the CFO knowing this information.”
An ideal world, eh?
Another practical classification scheme is mentioned here. It explains the whole philosophy of information classification from the ISO 27001 perspective in 1 page.