If your organization is missing an Information Security Classification Policy or not using one effectively for making decisions about risk and cyber defence measures, then read on. Why? Because since a well-defined information security classification policy underpins most cyber security, not having one strongly suggests that your organization is simply not spending its security budget wisely, because it is not optimizing risk or resources.
IT DOESN'T EXIST
How many times have we heard that? Unfortunately, more often than not. When we ask organisations to provide us with a copy of their information security classification, we frequently discover there isn’t one. Which is precisely why we thought it important to persuade readers to develop one if it’s their responsibility. And if it’s not, then to encourage whoever is responsible to do it asap.
As Information classification is an iterative, ongoing process, good governance requires that it is under continual review and constantly improved to maintain its effectiveness. So, if you’re thinking, “We already have one,” but you haven’t reviewed it for 12 months or more, you’d be well-advised to do so.
Organizations have a lot to gain from data identification and classification. So, before we drill into the process and classification levels, it is of the utmost importance to appreciate the benefits of having information classified, as this will help in justifying the time and effort necessary to complete Information Security Classification within your organization.
The following are the main benefits of classifying information with security levels:
1. Information Security Classification requires that information first be identified. An initiative is therefore required to actively discover information that’s created, stored and handled by different business groups within the organization. By discovering information, you’re basically rediscovering your business. And this means you can take a moment to review how information is empowering it or possibly operating ineffectively.
2. By working with different business groups, the risk and/or information security team connects face-to-face with business owners and asks them to think – sometimes for the first time – about information security and how it could impact their business. This gives the owners a direct contact point they can reach out to if they have questions or need help managing cyber risks or incidents. Working with the business raises awareness of cyber risk and information security management to realistic levels, because it is finally being discussed and taken seriously at all levels within the organization.
3. Defining and using security information classification optimizes risk and resources, protecting information both effectively and efficiently. By categorising information according to its sensitivity and levels of business impact, you are informing your risk and information security practice of the priority with which information must be protected and therefore where your organization’s information security budgets should be spent.
4. Correctly classifying information that’s governed by laws and regulations allows an organization to limit its dissemination on a need-to-know basis. This minimizes the risk of theft or loss, which helps avoid or minimize monitory penalties associated with non-compliance. This includes laws that govern personal and health records and regulations such as PCI-DSS and GLBA that protect the financial industry.
5. It informs access control and data loss policies used to implement technical controls. By classifying information with a security label, this information can be used to help map out your organization’s access control matrix. Authorized individuals with a need-to-know can be granted access to the information required to complete their job function; all other access can be restricted and the information protected against accidental data loss, compromise and insider threats.
With the main benefits covered, we turn our attention to the process of classifying information with security labels.
The standard process to classify information is :
1. Identify Information
Use manual methods (workshops, etc.) and automated discovery tools as required.
2. Classify the Information
Assess its business value, impact and sensitivity.
3. Label the Information
Microsoft Document Labels, Office365 Labels, Email Marking, etc
4. Implement Controls
The controls need to be proportional to the information value, importance and sensitivity.
These include, but are not limited to. security controls that need to be implemented when the information is stored, shared, disposed of and declassified.
5. Communicate Policy
Appropriately communicate details of the information security classification scheme within your organization.
Business team should know understand and use the information security classification schemed correctly.
6. Train on Procedures
Provide training on the information security classification procedure.
Your leadership team should know how to identify and classify new information moving forward or, at the very minimum, request that the new information be classified by the responsible team within your organization.
As every organization is different, there will be different challenges to overcome when trying to classify information. At this point, it’s important to outline the challenges you can expect to face and provide advice on ways you could overcome them.
1. Multiple Classifications
One of the first steps in deciding what information security levels to use within an organization is to understand the laws and regulations that govern your business. The challenge becomes evident when an organization is required to comply with multiple laws and regulations or when an organization has different business groups, each governed by a different law or regulation. This may be the case if it conducts business in multiple regions and countries or simply because it handles different types of information. Many organizations tend to assign multiple classifications to the same information. This approach is practically ineffective because it creates management overhead and increases the challenge of using information security classification labels to protect information. The goal should be to have a single and consistent classification schemed across the board. The advice is to standardize on a single information security classification scheme then, if required, map these out to other classification schemes governed by laws and regulations as needed.
2. Internal Resistance
To classify information, you first need to discover it. You could sift through company databases, your intranet, file directory, and so forth, but my advice is to directly engage with business units and simply ask them these three questions:
Other good means for discovering information are:
1. Refer to the Business Impact Analysis (BIA) if one exists. Services and the assets supporting them should already have been identified in the BIA. You could find out what information is processed and stored on those assets by asking your IT team to provide the details. Similarly, refer to the assets in your asset management system and discover what information they process or store.
2. Refer to past risk analysis. Assets should have been identified to conduct risk analysis. Those assets should also have included digital information assets.
You will likely face internal resistance from some individuals when you engage them to begin your discovery. To put everyone at ease, remember to:
1. Explain the initiative, its benefits and why the board and executives endorse it.
2. Let them know that you’re only conducting a discovery process at this stage and that it’s the information asset owners who would still be ultimately responsible for deciding who can have access to the information, that’s unless that information is protected by a law or a regulation on which legal advice should be taken.
The tasks can be somewhat challenging for certain individuals who believe:
To summarize, to overcome such resistance, it’s important to first and foremost receive the endorsement of your information security classification policy by the board of directors and/or executive team. Ask the CEO to set the tone at the top with the leadership team and to explain that the initiative is important to the organization because of the benefits described above. The thing to avoid is defining access-controls during the information discovery phase. If you try and complete the access-controls matrix at the same time as you’re engaging with business stakeholders to discover it, you will find that some stakeholders may want more access than they require which can’t be justified. Avoid this dilemma and headache by simply discovering and classifying information first. If business impact levels are well defined within your organization, then classifying information is not such a challenge either and can be completed at a later stage by a smaller group of stakeholders.
Keep it simple as can be! That should be your top priority when you’re working through this process. Over-classification occurs when security classification is mapped to access controls, which mustn’t happen when you’re only classifying information assets. Security classification serves a higher-order purpose, with the main goal of keeping information internal, approved for public release or restricted to particular groups or individuals with a need-to-know. Information security classifications that map to business roles, locations or data types, have all proven to be ineffective because they are:
Keep the number of information security levels to a minimum. If you’re finding that you’re using any more than 3 or 4 classification levels, then you’re not keeping it simple. You’re probably falling into the trap of mapping classification levels to business groups, locations or data types, or you’re trying to align with multiple standards.
One of the greatest risks when discovering information to be classified, is that you never really know whether or not you have actually discovered all of the information assets. Even when applying a default classification to “all other information”, if you haven’t discovered any particular information that’s highly sensitive, then there’s a risk of under-classifying it and therefore leaving it exposed. The problem is more apparent today as information is dispersed into the cloud, streamed from IoT devices, roaming around on personal handheld devices and flowing between integrated systems. To mitigate this risk, refer to your org-chart. Identify all the business units and their managers, and seek to work with them to conduct information discovery. Don’t despair! Usually, if the information is important enough, someone will call it out, and even if it’s left undiscovered, information security is about risk reduction, and by discovering most of the information, you can be assured that you’re on the right track.
We’ve now covered the main benefits and challenges of information security classification, so we will now provide some practical advice on what information classification schemes to adopt. To do so, we will distinguish between government (local, state and federal) with corporate organizations because government already has well-defined Information security classification labelling guidelines that can be used and business impact levels that are fairly detailed.
Information Security Classification
For Corporate Organizations
I’ve provided the following example of an Information Security Classification schemes because it can be used within most corporate organizations:
Refer to the particular framework used within federal or state governments in your own country. Local governments should follow the guidelines of their state government. In Australia, the Australia Government Protective Security Policy Framework is to be used by the Australian government and its agencies and in the state of New South Wales, for example, the NSW Government Information Classification, Labelling and Handling Guidelines should be used. While these two generally align, there are a few differences (noted below) that need to considered.
It’s also important to define Dissemination Limiting Markers (DLMs) and how they differ from security classifications. While security classifications are defined by business impact levels that can damage national security, DLMs are defined by sensitivity levels, type of information and can cause limited damage to non-national security interests.
Below are the classification levels defined for both Federal and NSW State Government
It’s important that we firstly respect the objective of the Australian Government Information (Public Access) Act 2009 (GIPA Act), which is to open government information to the public by:
A public interest test, which requires balancing factors for and against disclosure of each piece of government information, must be conducted using the guidelines provided here. You should also obtain advice from your risk management team and your legal team if you’re unsure whether or not information is to be release or restricted to public.
Australian Government Information Security Classifications
The referenced table below shows the information security classifications and sensitivity levels used by the Australian government:
Refer: Attorney’s General Protective Information Security Framework - sensitive-classified-information
The NSW government security classification system and DLMs aligns with the Australian government system which include four security classifications; however, NSW government uses an additional four DLMs (noted below) from numbers 6 through to 9:
While we have covered the main benefits and challenges of classifying information and provided advice on the security classifications to use, organizations should ultimately review their current culture and their future ambitions for improving information security governance when undertaking an information security classification initiative for their business. A well-planned approach to information security classification and support from your executives will also ensure a higher level of success.