10 Nov What you need to know about information classification
Information is vital to our business processes and operations, and because of that, it needs to be properly protected. SPA’s member of the month Moe Ahddoud looks at why information classification is central to an organisation’s information security strategy.
Many people still think of IT assets as physical objects, such as computer equipment. But in the age of cloud computing, information can exist anywhere, in any form and on a huge range of different devices and infrastructures. Information itself is also an IT asset, and it’s an extremely valuable one too. It’s vital to our business processes and operations, and because of that, it needs to be properly protected.
What is information classification?
The Information classification helps us determine who has access to which information, and which controls and policies need to be put in place to protect it. For employees, it’s a tool which helps you assess the sensitivity of information and take the necessary steps to keep it safe. Our organisation’s information classification policy defines four levels for indicating the degree of sensitivity of a particular information asset.
Confidential: This category includes highly sensitive information, such as payroll information, payment card details, and medical records. Access to confidential information is restricted to a small number of individuals based on their role and position in the company. In certain cases, authorised third parties may also have access to confidential information.
Restricted: Restricted information, such as details on departmental procedures and business activities, while not necessarily strictly confidential, is not intended for widespread internal use. As with confidential information, polices dictate that only a specific group, organisational unit, or authorised third party should have access to this information.
Internal: Though not sensitive, internal information is not mean for public consumption. This includes any information intended for internal staff use, such as recruitment policies and pre-release content that isn’t ready for publication. It does not contain any personally identifiable details or commercially sensitive information.
Public: Public information is the lowest category, since it’s widely available having been approved for public access. Examples include our website and social media profiles, as well as any other customer-facing informational assets. There are no limits on who can and should be able to access information classified as public.
Who is responsible for classifying information?
Information owners are typically responsible for classifying information, since they understand its value to the organisation and the risks it carries. Risk levels are usually defined based on an initial information security risk assessment. In general, the greater the value of the information (the higher the consequence of breaching the confidentiality), the higher the classification level should be.
Information owners are also responsible for creating and enforcing policies which allow specific individuals to view and edit the information. In most cases, an individual’s role determines which information they have access to and what they can do with it. For example, anyone on the accounting team can view basic accounting information, but only team leaders can add new accounts.
The information owner is also responsible for deciding how information should be secured, how long it should be retained, and how it should be disposed of once it reaches the end of its lifecycle. Finally, these policies and procedures should be reviewed annually to ensure they are up to date.
What this means for you
Information classification is a core part of our information security strategy. It’s essential that everyone is aware of the level of sensitivity of the information they have access to. This will ultimately let you determine what you can and cannot do with it. If you’re unsure of whether information in your care is sensitive or not, speak to your line manager immediately for further guidance.