Information Classification for Information Systems and Organizations

Information Classification for Information Systems and Organizations

Information Classification Importance 

There is no discussion on information security and cybersecurity without addressing data.

Most of current attack techniques focus on gaining access or penetrating systems to reach data, mass collection of information from systems, and accumulate them into useful context.

The words information and data are interchangeably express useful piece of information.  Data in the information technology literature relate to plain text, numbers, and words not meaningful to human without context. The word information relate to set of data formatted in meaningful context and available as piece of knowledge understandable to human or artificial intelligence engines.

Data is the most valuable asset today, for example, login details for specific system. Data itself has no meaning in isolation and without context; linking it to something make use of it.

Information Classification Driven By ISO Standard

Information classification usually addressed as one of the most important practices in ISO/IEC 27001 (Information Security Management Systems) standard and other similar information security standards, COBIT 5, ITIL Security Management, ISA 62443-2-1, NIST SP 800-53, FISMA, FIPS, and many others.

The practice and guidelines throughout ISO literature focused on classifying information into four categories. Some literatures classify it more granularly.

  • Publicly accessible information
  • Internal use information
  • Restricted/controlled information
  • Confidential information

Location and inherited practice in organizations drive different classification within the main four categories. Some are:

  • Top secret
  • Secret
  • Confidential
  • Restricted
  • Official
  • Unclassified

Information Classification for Your Organization

Classification vary from an organization to another. Unlikely to find large organization or government body without enforced information classification driving its processes and practices.

Classifying information as a practice might not face revolutionary change in the foreseen future. However, throughout my experience with different organization, information classification and reclassification is not a regular practice; it is rather an ad hoc practice in response to security incidents and/or legal issues facing organizations.

First question usually, how do we classify our information? Most information security specialists will answer with “it depends”.

Second question, what to classify? Again, “it depends”

Third question, what to do after we complete information classification? Short answer: Start applying classification to regulatory mandates, then go through internal policies, and focus on business protection. If you are doing it for the first time, or it was long time since done, break the process of getting classification into three phase’s project. First phase to focus on regulatory requirements, and internal policies, second phase to focus on processes that exchange information with customers and public and last phase to cover everything else that matter.

The Business and Technology Drivers behind Information Classification in Security Practice

Information Security and data protection is a concern within highest management levels of organizations, the concerns to address at this level are:

  • Integrity, of information whenever it is in use
  • Confidentiality, of information and who can reach it
  • Availability, of information when it is required

The implications for missing any of the three attributes could be huge. Policies and procedures in place to manage information by considering the three attributes are to be strong enough to keep the information confidential, accurate, and available whenever it is required.

Risk assessment and identified risks play the primary role of organizing and structuring polices and procedures around data.

How to classify information?

The process is cumbersome and annoying to people, especially if it is the first time, or it is a long time since last classification and description written for information, with a large gap between previous and current situation.

The simple approach to make things done.

  • Develop an inventory of different types of information within the organization
  • Identify information assets owners on a list (e.g. excel sheet)
  • Develop another inventory of all processes within the organization
  • Capture regulatory mandates related to your information categories
  • Prepare labeling (stamps for paper) for each classification category

How to start?

Thinking about the process, and the steps required by the information security officer to do this job is overwhelming. Start with simple step then progress.

I prefer to start from the most crowded area in the organization, where a mixture of people is available in the place; clients, employees, leaders, guards, and visitors are available regularly.

Any organization with customer service facing customers, the client area is the best place to start.

Steps to follow:

  • Record all support categories carried by customer service to clients.
  • Grab different cases for each category
  • Isolate incoming requests from outgoing results to customers
  • Interview the team leader/manager of the customer service area about each category to understand the full process of information path from start to finish

By following these steps, you have collected large portion of information sources, identified information assets, and listed couple of processes related to information.

The following steps is to arrange information collected into useful and meaningful structure, that will end by getting well defined baseline of information classification.

In my next article I will describe in more details how to complete the classification and move across the organization to draw complete picture of data and information within the organization.

To leave a comment please use the following form, we will review and post your comment with your name after moderation.

Author: Jawad Alalawi

Information Security Specialist specialized in Financial Payment Services, Risk Management, Information Security, and Compliance. Experienced in solutions development and implementation, and technical writer/copywriter. Email (sjawada5 at gmail.com)

(231)