An effective way of understanding the difference between internal use information and public information is to picture your organization’s connection to the Internet. The Web site and information contained on it that is outside your zone of protection is your public information. Remember that posting information to the public Web site is only done by the Web-master and with approval of the owner of the information. This is your organization’s Internet connection.
The portion of Internet access that is behind your zone of protection and contains information for use by employees is your intranet connection. This area contains information that is unavailable to the outside world but has been made accessible to employees for use while performing their assigned tasks.
For years the information handling standard was that all information is closed until the owner opens it. This worked well in the mainframe environment when access control packages ruled the single platform of information processing. With the introduction of the client/server environment and the multiple platforms operating situation, no one access control package could handle all the needs. With decentralized processing and then the move to connect to the Internet, the restrictions on information closure began to weaken. The operating concept during this period was that all information was open until the owner classified it and closed access to it.
Now we have gone full circle. As the decentralized processing environment matures and national and international laws, statutes, and privacy concerns become stronger, the information protection concept was reverted to all information access is closed until the owner opens access. For this to be effective and to allow the organization to demonstrate due diligence, it is incumbent for the organization to establish an effective information classification policy and support handling standards.
Most organizations do not have information that is all the same value or sensitivity. It is necessary to at least develop an initial high-level attempt at classification. This should be done if for no other reason than to ensure that budgeted resources are not misused in over-protecting nonsensitive, noncritical information assets. Before employees can protect information assets, they must first have a policy that identifies classification levels and then a methodology to implement the policy requirements. An information classification policy that is not overly complex and a methodology that relies on common sense and is facilitated by either information security or records management will make acceptance possible.
4WHAT IS INFORMATION CLASSIFICATION?
An information or asset classification process is a business decision process. Information is an asset of the organization and managers have been charged with protecting and accounting for proper use of all assets. An information classification process will allow managers to meet this fiduciary responsibility. The role of the information security professional or even information systems personnel is one of advice and consulting. The final decision is made by the business unit managers or, as we will define soon, the asset owner.
When preparing to develop the information classification policy, it is important to get input from the management team. As discussed in previous chapters, knowing what management really wants will improve the quality of the overall policy. It is important that you ask questions to find out what they mean. When my daughter was about seven or eight years old, she came to me and asked, “Pa (that is what she calls me), where do we come from?” Well, I pretended to not hear her so I could research my answer. The next day I sat down with her and discussed the “facts of life” with her. She looked at me and said, “I know all that. What I want to know is where we come from. Terri Lynn comes
from Tennessee and Pam comes from Kentucky.” So before you develop an answer, make sure you understand the question.
When conducting interviews with management and other key personnel, develop a set of questions to ensure a consistency in the direction of the responses. These questions might include some of the following:
• What are the mission-critical or sensitive activities or operations? • Where is mission-critical or sensitive information stored? • Where is this information processed?
• Who requires access to this information?
There are no hard-and-fast rules for determining what constitutes sensitive information. In some instances, it may be that the number of people who require access may affect the classification. The real test of an information classification system is how easy is it for the reader to understand what constitutes sensitive information and what organization- approved label should be affixed to the information asset resource.
5WHERE TO BEGIN?
After you have a clearer idea of what management is expecting, it is time to do some research. I like to contact my fellow information security professionals and find out what they have done to answer the problems I have been assigned. By being a member of the Computer Security Institute (CSI), the Information System Security Association (ISSA), and the Information Systems Audit and Control Association (ISACA), I have a ready access to people in my area who are usually willing to share examples of their work.
When developing classification levels, I prefer to discuss the topic with fellow professionals. I recommend that you cultivate contacts in similar business environments and see what your peers are doing. The Internet can generate some examples of classification policies, but many of them are university or government-agency-related. Be careful of what you uncover in your research; while there are many good ideas and terms out there, they are only good if they are applicable to your specific needs.
Use the information you gather from fellow professionals as a starting point. Your organization will have its own unique variation on the classification policy and categories. We examine a number of examples of information categories in the subsequent subsection. If you are a government agency, or do work for a government agency, be sure to check with your regulatory affairs group to see if there are any government-imposed requirements.
5.1Information Classification Category Examples
Using the information in Tables 1 and 2, the manager can determine the level of criticality of an information asset.
The service provider shown in Table 3 has established five categories to be used by managers in classifying information assets. Part of the reason for their use of these categories is that they have experience with Department of Defense contracts and have become accustomed to certain classification levels. The concern I have with patterning a
policy after a government standard is that there might be confusion regarding what is government contact information and what is normal business information. Also, the number of employees exposed to the government standards may impact the drafting of these standards.
I recently discussed the classification scheme shown in Table 4 with the company that created it to find out how they use the color coding. The sample “Information Security Handbook” included in this book also uses color codes for information classification. The company does not actually use the colors to color-code the documents. Instead, the company identifies the level of classification but requires the footer to contain “Company Red” or whatever color. It gives a good visual for the employees.
The company in Table 5 also requires that specific levels of information contain appropriate markings to identify it as classified information. We discuss an Information Handling Matrix later in this chapter. When you create your organization’s handling requirements, use the following as thought starters:
• MAKE NO COPIES
• THIRD-PARTY CONFIDENTIAL
• ATTORNEY-CLIENT PRIVILEGED DOCUMENT • DISTRIBUTION LIMITED TO_______
• COVERED BY A NON-ANALYSIS AGREEMENT