Classifying information is a basic requirement of any information security framework. This, of course, is sound logic. If you don’t know what the value of the information is, you will not be able to handle it appropriately. The problem is not in the requirement but in the way it is implemented…
To understand the root of the problem, we need to go back in time for a bit. Information classification was a problem long before standard wielding consultants (like yours truly) came along and declared that all information should be classified. Governments and military establishments were grappling with the problem of classifying and handling information. They dealt with state secrets that, if revealed, would probably cause a nuclear war. Hence, they built a system of classification. This system revolved around the risk of disclosure, alteration of destruction of that piece of information. ’Top Secret’ meant that the information could cause a grave danger to the nation. This wikimedia image sums it up quite well. ‘Secret’ meant danger, ‘Top Secret’ meant ‘grave danger’, and so on.
You required explicit written authorisation to be privy to ‘Top Secret’ or ‘Secret’ information and there were detailed guidelines on how to handle this type of information. “If you get caught with a ‘top secret’ document in your possession, burn the document and swallow the ash”, etc. This worked perfectly in the business of national secrets.
The corporate world has merely adapted the same classification scheme that was so painstakingly developed by the military. Definitions like “Disclosure of this information can cause grave damage to the organisation if disclosed.”, Or “Significant risk to the organisation on the disclosure, alteration or destruction of data” came into being. This sort of classification, while useful for government agencies, proves quite ineffective in other situations.
Imagine that you are making a presentation to a customer about how your company can help them in increasing their sales. If such information were disclosed, would it cause a ‘grave’ damage to your business? Is it a ‘significant risk’? What about the travel vouchers that you submit? Would disclosure of your travel spending cause a ‘moderate’ level of risk to the organisation? In this case, you would do exactly like any other person – don’t give the document any sort of classification at all. Or worse, give it a rating of ‘confidential’ and forget about it. Also, since there are pesky auditors wandering the aisles, you drag all your data and put it into a folder titled ‘Confidential’. There. Done and dusted.
This isn’t how corporate information classification should work!!
Nations will, most probably, not go to war if our ’Our key differentiators’ document become public. However, it could significantly alter your competitor’s sales pitch, making our 5 year plan ineffective.
What we require is a complete rethink of how information should be classified in the corporate world. We really need to think if any document within the organisation would really cause a ‘grave danger to the existence’ of that organisation. Information classification within organisations should be simple, easily understood and implementable.
A really nice and simple way to classify information is the ‘Traffic Light Protocol” for sharing information. I wonder why most organisations do not take this as a base for their information classification.
The biggest advantage of adapting this method to classify information is its intuitiveness. Everyone knows that red signifies danger. So, a document classified ‘Red’ means it is dangerous to share. See? Simple. Here is a table of what I think is a good classification scheme based on the traffic light protocol.
|Classification||Type of Data||Handling|
|Green / Not mentioned||
Imagine this classification being used in day-to-day business operations.
“No. That data is Amber. If you need to use it to test your new application, I will have to mask some areas.”
“Dear Sir, Kindly find attached the proposal. Please note that this is a blue document and for use by yourself and Mr. X only”
“Please make this a red document. We cannot afford anyone other than the CFO knowing this information.”
An ideal world, eh?
Another practical classification scheme is mentioned here. It explains the whole philosophy of information classification from the ISO 27001 perspective in 1 page.