Information classification and governance – what do you share?

Most people know almost instinctively that there is some information that you just don’t share. The secret a friend confided in you, the actual bonus that you got for your efforts that no-one else in the office received, the nasty disease your best mate got s/he had to go to the doctor about and what that lady from network services got up to with the Head of Sales on that fact-finding mission to Germany.

You wouldn’t share those would you? Of course not, you can be trusted with a secret, can’t you? You know also that if it got out it would come back to haunt you and you could not be trusted again.

The same is also true of company information. It needs to be kept secret to a certain extent. Product designs, new projects, marketing stuff about competitors and prospects, sales stuff about customers, the contacts and their orders, staff records, payroll details – all that needs to be kept securely doesn’t it? And we do, don’t we? Everyone within our organisation knows exactly how to treat information and ensure it is secure so that only those who should have access to it actually do so. That is right, isn’t it?

And of course if our people don’t look after it properly, well we have a disciplinary process we can invoke – that should take care of it right?

ISO 27001 has a control objective to help – control objective A7.2 Information classification where the objective is “To ensure that information receives an appropriate level of protection.” This objective talks about having classification guidelines and then having a set of procedures or processes whereby the information is labelled, or marked, and handled in accordance with those guidelines.

So we spend a little time defining our guidelines. Maybe we split it into 3 or 4 levels such as Public, Private, Confidential and Restricted. We provide some examples of the type of document or information against each of the classifications and include rules such as ‘Restricted information must not be sent outside of the organisation’s physical and/or logical boundaries unless it is encrypted to minimum AES 126 standard’ or some such.

How though do we label or mark it so folk know what classification it is. Well we could have some templates in our system with the label already pre-defined in the footer. We could invest in some rubber stamps. We could issue rules and diktats and of course we could train our staff. We could do all or a combination of these.

We might though consider a software tool to help. One such tool is Boldon James document classification software which can assist in making the documentation classification process simple. This software simplifies the process of marking information and allows you to apply relevant classifications (visual & metadata labels/protective markings) to information (files) of many different types. These labels/markings can be used to enforce user policies, raise user awareness of security and orchestrate multiple on-demand security technologies such as encryption. You can find more information on the Boldon James product range at: https://www.itgovernance.co.uk/data-classification-software.aspx.

It is ideal for classifying e-mails, files, documents and it works with common document management systems such as MS Sharepoint. To find out more click on the link above or contact IT Governance on 0845 070 1750 or email us on servicecentre@itgovernance.co.uk.