Businesses and individuals need to protect their information now more than ever before. There are many reasons that justify this observation but the most important reason is the increasing reliance we have on information systems. Critical business transactions are now done through the internet. On a more personal level we are shifting to the digital platform for our banking, communication and education.
An information security plan has many components and one of the most important pillars is Information Classification. This is the categorization of data so as to facilitate the implementation of information confidentiality, integrity and availability.
There are six steps that must be undertaken so as to achieve information classification in your organization. The first one is identifying all the information sources that need to be protected. Determining which information is possessed, where it resides, who the owners and custodians are, the infrastructure used and if there are existing protection measures are the sources that should be documented.
The second step in classifying information is identifying the information classes that will be used for example Secret, Confidential, Restricted and Unclassified.
Once the information classes are outlined, the next step is to identify the information protection measures that will be used to map onto the information classes. These could be authentication, role based access, assurance, encryption and others. These are mainly technical IT controls.
The fourth step is mapping the information protection measures to the classes. For example authentication helps to verify that a system user is who he/she claims to be by requiring this user to be identified. Authentication can be mapped onto any information that is classified Secret. This would ensure that Secret information is accessed by users who are duly identified. Note that any information classified Secret can have multiple protection measures apart from authentication.
In the fifth step, the classification labels and protection measures that were mapped must now be applied to the sources we identified in the first step. For example authentication is a measure we mapped to information that is classified Secret. We now need to determine which information is Secret. Staff medical records, for example, is a source than can be classified as Secret and requires authentication to access.
The final step is a loop back. This is where the process should be repeated at planned intervals.
Information classification helps to ensure that security decisions are made that conform to business objectives instead of IT departmental information protection goals.