Information classification is an integral part of implementing an information security framework and performing risk assessments. Proper classification leads to the selection of appropriate controls. When the goal of information security is to protect, how can this be done without knowing what value differing information types have to the organization? What’s more, information classification can be the method to trigger technology planning for the whole organization well beyond the selection of security controls.
One of the beauties of classifying things is to give us a shorthand method of understanding. For those of us weaned on the OSI seven-layer model, when we are introduced to a new networking protocol we can place it in its appropriate layer by asking about the defining characteristics. Once we know where this new protocol belongs in the model, we can make other fairly accurate assumptions about what the protocol must do, what it cannot do, how it can be exploited or protected.
Information classification works the same way. If you know that a piece of information is sensitive and should not be shared with the public, then you know, in a general sense, how that information should be protected, what kind of access controls should be in place, and that disclosure might trigger some damage to the organization. This kind of broad knowledge about data allows organizations to clean up existing systems that handle information as well and select and build replacement systems or third-party services that contain this sensitive data. Everything from internal controls, vendor contract clauses, selection of types of services, and methods of transport are all impacted by the knowledge that sensitive information is involved.
Unfortunately, too many organizations operate without planning based on how information types should be treated. Instead, they deploy systems and controls for one dataset at a time. Classifying types of information in advance can save time, jobs, and be a driving force for IT planning. Classification helps provide better service to information stakeholders by aligning their needs with the implemented protections.
Joel Colvin has been a security consultant since 1992 and an attorney since 2015. If you would like a copy of the complete paper or would like help in developing your organization’s security policies, please contact him at jcolvin@jcolvinlaw.com.