Information Classification: Build The Basics To Get The Benefits

Having spent many years in the military, I was very familiar with the concept of protecting information. Information classification was predominately used to deny the enemy our secrets so we could maintain an advantage, but since moving into the private sector, my understanding of information and its value to an organisation has developed.

Security is not just about protecting secrets. It’s also about respecting personal information, complying with regulations and more importantly, appreciating how information drives an organisation.

What is information classification?

Information Classification is when an organisation provides its information assets with an appropriate level of protection based on its perceived value. There are many different factors that can help to determine value, which might include:

• Legislation and regulations such as the Data Protection Act 2018.
• Information assets that have been deemed critical to organisational operations, e.g. financial information, computer code or customer databases.
• Contractual agreements such as Non-Disclosure Agreements (NDAs).

How is information classified?

There are many approaches to classifying information, such as the UK Government Classification System, but typically the most common information classification labels are public, confidential, commercial, sensitive and personal. Methods to protect valuable information will normally include a combination of technology, people, and process controls.

So, what are we trying to protect?

There are three aspects to information and its security that must be considered: confidentiality, integrity, and availability (CIA), often called the “CIA Triad”.

The objective of Information Classification and Information Protection, more generally, is to preserve the CIA triad of organisations’ most critical information assets. Doing this well will reduce the likelihood of a data breach.

The CIA test is – “What would be the consequences to the organisation if”:

• C – unauthorised people could see/access the information?
• I – the information was maliciously or accidentally modified?
• A – the information could not be accessed by the right people at the right time?

If the answer to any of these questions is “the consequences would be damaging or even catastrophic to the organisation”, then you will need to apply protective controls, like information classification, around that information asset.

What do organisations need to do?

Clearly, we want to protect information, but there is normally so much of it that you cannot see the wood from the trees. Organisations need to prioritise which information assets are the most valuable and/or present the most risk to them. The most restrictive controls should be applied to the information that is deemed highest value or most at risk. This will vary depending on each organisation, but will involve understanding:

• What information the organisation holds
• Where the information is stored
• Value of the information
• How the information is used
• What risks are associated with the information
• What resources are available to protect the information

The Benefits of Information Classification

There are many benefits of introducing an Information Classification system, and associated controls, into your organisation including:

• Reduced risk of data breaches – The fallout of breaches today can include financial penalties and reputational damage, both of which can be catastrophic for organisations to recover from.

• Increased compliance – Adhering to information security standards and frameworks such as ISO 27001, IASME, PCI-DSS, NIS CAF, NIST and GDPR can provide the organisation reduced insurance premiums and competitive advantage through access to opportunities that require defined information security standards.

• Increased efficiency – Classified data can be easily found; changes are tracked and traced meaning employees are able to execute daily operations more efficiently.

• Increased culture of security awareness – Asking employees to take responsibility for protecting information by ensuring they understand the value of information they work with can build a culture of security awareness.

• Increased organisational understanding – Information classification provides the organisation with a better understanding of information security risks to enable mitigations to be applied.

Implementing any new system or change can be a challenge, especially when it involves technical and non-technical elements, but making the move to an information classification system can deliver tangible advantages for any organisation.

If you’d like to find out more about how we can help your organisation start or develop your information security journey, feel free to get in touch.