Information is vitally important that we protect for various reasons. From ensuring compliance with legislation like the GDPR in the EU to reducing costs for e-discovery. Knowing what information is stored in our network and where it is stored is vital these days.
Classifying this information with tags and even labels for physical media and ensuring there are procedures in place to instruct the handling of that information helps us understand our environment more to help us protect it.
8.2.1. Classification of information.
Not all data is made equal. Given the high costs in both resource and complexity of more stringent security controls and the unequal value of data it is recommended to take a tiered approach to data management. This simply means dividing data based on some requirement into tiers, with each tier having different security requirements and levels of access. One of the most famous example of this is the United States of America’s federal government’s data classification levels of Top Secret – Secret – Confidential – Unclassified with the criteria for each listed below from Wikipedia (Classified information in the United States, n.d.);
- Top Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.
- Information is classified Secret when its unauthorized disclosure would cause “serious damage” to national security.
- Confidential is defined as information that would “damage” national security if publicly disclosed, again, without the proper authorization.
- Unclassified is the default and refers to information that can be released to individuals without a clearance.
Having a well-defined and simple to understand data classification scheme can reduce the effort required when deciding how to secure systems housing the data by giving a baseline of security requirements for that tier.
8.2.2. Labelling of information.
Having developed your classification plan you now need to ensure all data in your organization is designated a classification and is easily identifiable as being given that classification to avoid accidental disclosure or mishandling. An example of this would be to label media used for storing the data with coloured labels, such as RED for top secret, anyone handling the media then knows its classification level at a glance. There should be procedures in place to instruct authors how to correctly classify their outputs. All documents should state their classification level in an easy and quickly understandable way. This labelling effort should be part of your organization’s standard process and documented in your handling procedures.
8.2.3. Handling of assets.
This is very important for organizations dealing with sensitive information. There should be clear, documented procedures for how data is handled at the different tiers including how information is stored and transported and who is authorized to handle it. There should also be instructions on how data and media should be destroyed at the end of its life.