editione1.0.0
Updated October 9, 2023You might be forgiven for dreading this section. Phrases like “information classification system” rarely spark excitement. But stay with me—let’s move past the dry language and dig into what this phrase means and why it matters to our company and its data.
The importance of this section starts with a truth: just because our organization generates, stores, or processes a piece of information, that doesn’t mean it is sensitive or needs securing.
Some of the data we handle, generate, or process poses little to no risk to our organization, no matter what we do with it. Conversely, there are data types that we encounter that can have significant impacts on our organization, our systems, or our customers—if they are mishandled.
Definition An information classification system is, at its core, a way to label the data within your organization according to how sensitive it is and how much impact it would have on your organization if it were to be improperly handled or shared.
By identifying all of the data stored and handled within your context and dividing it into groups in this way, you can start to define processes and policy for how each group of data should be treated. Typically this includes how the information is used, where it is stored, who it is shared with, and how it is shared.
Once we have this structure of policy defined, we can allocate and prioritize our resources to protect the confidentiality, integrity, and availability of our most sensitive data. The more sensitive the data, the more effort and resources we need to keep it safe.
Let’s take a look at a typical information classification system and examples of the data we might expect to find in it.
| Classification | Description | Examples |
|---|---|---|
| Public | Information is not confidential and can be made public without any implications for your company. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital. | • Publicly domain information about the organization • Public marketing materials • Distributed product catalogs |
| Internal | Information is restricted to management-approved internal access and protected from external access. Unauthorized access could influence your company’s operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital. | • Software, code and applications developed by your company or on behalf of your company • Operating procedures used in your business • Instructions, training material, guidelines, organization-wide communications |
| Restricted | Information received from clients in any form for processing in the company or its systems. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital. | • Client account details • Direct communications with clients • Analytics of client transactions |
| Confidential | Information collected and used by your company in the conduct of its business to employ people, to log and fulfil client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within your company. The highest possible levels of integrity, confidentiality, and restricted availability are vital. | • Salaries and other personnel data • Accounting data and internal financial reports • Confidential customer business data and contracts • NDA’s with clients and vendors • Business plans |
While these standard definitions will work for a large number of scenarios and provide a quite generic framework for understanding and communicating the sensitivity of your data, there are some cases where you may choose to define your own classification system. This custom classification system provides a way to communicate any data security or handling requirements that are unique to your organization, risk profile, or context.
Reasons you might want a custom classification system:
Coherence and consistency. Organizations that interact with or partner with government organizations, for example, may choose to reflect the classification systems of their more regulated government partners when defining their own system. This helps create a consistent understanding of data security expectations across the two organizations and make communication of risk simpler and coherent.
Culture. Another reason for choosing a custom classification system might be to echo or reflect other cultural patterns in your organization. If you have a strong communication style and language conventions in your organization, then echoing that language style in your security policy and process can help this process connect with the wider company and be easy to understand. Remember that the more relatable and easy to understand our language choices are, the less effort is needed to understand and comprehend its meaning. Easy to understand often means easy to action, and can be a real benefit when trying to roll out a security program.
Increased granularity. Perhaps your organization has more complex or varied data requirements that are challenging to split into the relatively small number of classifications provided by the more traditional classification systems we explained earlier in this section. In these more complex situations you may wish to have more granular requirements or options. Remember, though, that the more complicated your system, the harder it is to implement consistently and check for issues. If choosing this path, be sure to create the “minimum viable classification system” for your needs. A smaller set of requirements and behaviors will be easier to implement, explain, and monitor.
Once you have defined your classification levels, you need to find all data of each type and ensure that it is labeled correctly to communicate its sensitivity.