Information is power, as the famous saying goes. Information is the lifeblood of a business, as well as a tantalising target for an attacker. All businesses will find themselves dealing with different types of information, from things that they are happy to make public to things they would rather keep under wraps. How can you ensure that all such items are properly labelled, so that all employees (and anyone else who gets their hands on them) will know how to handle them? The answer is information classification.
Information classification can be as simple or as complex as you like. All it consists of is applying a classification (usually in all caps, centred in the page header) to all pieces of information produced by and handled within your company. The first step is to decide what classifications you need, and this will depend on the nature of your business. Perhaps you are fine with PUBLIC, INTERNAL (for internal stuff that shouldn’t be shared publicly) and CONFIDENTIAL (for internal stuff that should definitely not be shared publicly), or perhaps you need something finer-grained. Maybe you just want those three, plus DON’T SHARE WITH TONY IN MARKETING because the document is about Martha in HR’s surprise birthday party and you just know he’ll blab to her. Your system can be as personalised as you want.
The UK government, for example, uses OFFICIAL, SECRET and TOP SECRET together with optional descriptors (e.g., COMMERCIAL, PERSONAL), codewords and national information (e.g., UK/US EYES ONLY). You probably don’t need all that. Mitigate—our GCHQ-certified internal training solution—includes an entire e-learning module covering information classification. For the module, we chose to use PUBLIC, INTERNAL, RESTRICTED and CONFIDENTIAL.
Okay, great, you’ve got your labels in place and everyone’s marking everything they produce appropriately. Now you need to implement policies for how information at each level of classification is to be handled, from the point of its creation to the point of its destruction. For this, we’ll use the Mitigate classifications.
PUBLIC documents can be given to anyone—you could wallpaper your office in them, if you really wanted to. INTERNAL documents are only to be shared within the company (and, potentially, with selected contractors). As such, it needs to be stored somewhere that is not publicly accessible and there needs to be some form of access control.
RESTRICTED is where things start to get juicy. It means that the information is only to be accessed by a select group of people (e.g., the financial team, or the board). It needs to be secured in a locked space, and must be transferred within an envelope (to avoid any embarrassing Cabinet-style leaks) or encrypted. Additionally, it should only be copyable and erasable by its original creator/owner.
Finally, CONFIDENTIAL means that the information is incredibly sensitive. Access is to be granted on an individual, need-to-know basis by the file owner and revoked immediately afterwards. It must be stored in a safe and transferred only by trusted couriers using sealed envelopes or strong encryption.
This has been a suggestion of one possible information classification framework. Your own needs will differ, and it is up to you to create one that suits your situation.