Better Information Classification for Increased Data Security
Better Information Classification for Increased Data Security
January 18, 2008: The Information Security Forum (ISF) is warning that information classification needs to be taken seriously, claiming that recent high profile security breaches such as the HMRC scandal in the UK should renew focus on the protection of sensitive data.
The ISF claims that there is a clear and present need for better information classification, and the implementation of data protection measures based on the level of sensitivity and confidentiality.
In its latest report, the ISF suggests that because many existing approaches to information classification are overly complex, the benefits they offer are often outweighed by the hassle leaving them simply ignored.
“Traditional Information classification is characterised by the 'Top Secret' rubber stamp in James Bond films,” says Nick Frost, the report's author and a senior ISF research consultant. “Today, information exists in many different forms, from paper documents and verbal communications to the masses of electronic data stored, transmitted and processed. While introducing an effective enterprise wide scheme is daunting, organisations can no longer afford to ignore its importance if further embarrassing data loses are to be avoided.”
The ISF says information classification requires three main things: a consistent process to determine the level of confidentiality of a piece of information, the development of techniques for communicating the level of classification, and the practical implementation of measures to protect information accordingly.
The report claims that the benefits of successful Information Classification are considerable, as by ensuring that information is adequately protected, good information classification helps to prevent over- or under-engineering of controls, reducing potential operational overspend and unnecessary drains on resources. It can also help to enforce better access control policies and be used to demonstrate compliance for legislation.
The report highlights that to achieve these levels of success requires participation across an organisation from HR and Legal to IT and Audit, along with Board level support.
“Having senior managers with a shared strategic vision and understanding of information classification and the value it can deliver is critical to overcome budgetary and organisational issues," says the ISF's Nick Frost. “It is also vital to run a successful pilot project to show a 'quick win' to demonstrate the benefits.”
Comment on this story