Information Classification - Why it matters?

What is Information Classification?

Information Classification, as the name suggests, is the process of classifying information into relevant categories. For example, inside a company, the financial files should not be mixed with, let’s say, public relation department files. Instead, they should be kept in separate folders, and limited to the responsible individuals who are entitled to and entrusted with access. This way, the stored information will be safe, and it will be easier to be found when needed.    

Read more: Information Security in Banks and Financial Institutions

We process countless amounts of information every day without even realizing it. Information is what dictates decision-making, starting from the most common decisions (which book should I read) to the very critical ones like (where do I invest my money?). In order to conduct daily operations and to market their products, organizations need to collect highly sensitive information. Possessing this kind of sensitive and important information can give an organization power, and at the same time the responsibility to protect against vulnerabilities to security threats. That is why securing information is a very crucial process that organizations struggle to manage successfully. And the first step of successfully securing information is Information Classification.

Read more: The Importance of Information Security Nowadays

How to classify information?

Classifying information may seem easy, but when we talk about information in high volume, variety and importance, carrying out this task becomes a lot more complex. There are three steps that make this process easier to follow:

1. Know your information assets, and assign value to each one of them.
2. Label each information asset.
3. Method of handling each information asset.

Assigning value to the information assets

To have an efficient classification of information, the organization should assign a value to each information asset, according to the risk of loss or harm from disclosure. According to Netwrix based on the value, the information should be sorted in the categories explained below:

Confidential information – is any information that is preserved as confidential by all parties included or affected by that information. Sometimes the terms confidential information and classified information are used in the same context; however classified information is actually used more often by governmental institutions as a legal term. 

Classified Information - is sensitive information the access of which is restricted either by law or regulation. When any party possesses classified information, a formal security clearance is required to handle   such information.

Restricted Information - represents all the information that is available to most of the employees, but not to all of them. 

Internal Information - is information that all employees have access to.

Public Information - is information that everyone in the organization and outside has access to.

All data should be labeled! 

Once the organization has classified its information based on its value, the asset owner should create a system or a format for labeling the data. No matter if the data is stored physically or digitally, the labeling should be simple, easy to understand, and most importantly, consistent. One can either label digital files in numeric or alphabetic order, as long as it is systematic, reliable and are easy to follow. Adding visual labels to headers and footers of the files can raise awareness and help employees to become more attentive to security and avoid sharing content on USB drives, electronic mail, or by using cloud services.

Handling

Finally, after the organization has classified and labeled all of its information assets, it should create a set of rules and map out a way to protect its information based on the classification. For example, public information can be placed on an open cabinet or published on social media platforms of the company, while classified information should be kept locked and safe, either on a safe server or physically watched by security professionals.

Why does Information Classification really matter?

There are four main reasons why Information Classification is important:

1. Efficiency
2. Security
3. Culture of safety
4. Compliance

- Efficiency 

Organizations that have their information classified are able to deliver and execute daily operations more efficiently. Based on their classification, the data can be easily found, and changes can be easily traced.

- Security

Besides the threats that may come from outside, sometimes inside threats are the ones we should be worried about.  Among the most difficult to prevent, the insiders’ threats derive from employee weaknesses. They can be mischievous, involving intentional data theft, or even accidental data breaches. That is why restricting information and classifying information play a great role when it comes to preventing inside threats. Combined with trainings and access management technology, information classification helps prevent data breaches.

- Culture of Safety

The implementation of Information Classification helps to build a culture of security awareness across the organization. It puts the responsibility of protecting information on everyone who handles it, and it ensures that all employees understand the value of the information they work with on a daily basis, and know how to treat it. 

Employees should access documents on a need-to-know basis. This system can map out the employees access privileges based on the sensitivity level of a document’s data, making it easier to be traced, and to prevent any kind of wrong usage or manipulation of the information.

- Compliance

Finally, because Information Classification helps organizations evaluate information as sensitive, and as such protect it, it also helps organizations to comply with regulations such as the GDPR, audits, and it makes it easier to implement standards that require the organizations to classify its information, like ISO/IEC 27001.

Conclusion

Many compromises of intellectual property could be avoided if Information Classification was put in place. Information Classification helps to ensure that individuals involved inside the organization have the knowledge and are aware of the type of data they are working with and its value, as well as their obligations and responsibilities in protecting it and preventing data breach or loss. 

Information Classification is not the only solution that secures the information or that ensures compliance with regulatory requirements. But it is a very important step into starting to take data security seriously. As such, it helps organizations develop a security posture by focusing their energy, time and financial resources on the data that is critical to the business. 

According to ISO/IEC 27001 , A.8.2 Information classification objective is to ensure that information receives an appropriate level of protection in accordance with its importance to the organization. Learn more about the ISO/IEC 27001 through PECB’s training courses and acquire knowledge on all the necessary tools and techniques that will enable you to assist your organization in achieving and maintaining its compliance with ISO/IEC 27001 requirements.

Relevant article: Takin Control of Information Security

About the author

Kaltrina Istrefi is the Digital Communications Manager at PECB. She holds a degree in Marketing from the University of Prishtina, Faculty of Economics. Kaltrina is certified against ISO 9001 – Quality Management and ISO/IEC 27001- Information Security Management.