My research on information classification policies kept turning up the statement that “the integrity of public information is not vital” for public and unclassified information. I even stated the same in my earlier article on Information Classification. I had taken for granted that this statement is correct. That is, until I was called out by a co-worker.
“You can’t be serious, right?” was how I was approached.
“The integrity is not vital?”
She began to explain her viewpoint on it and my first thought was “…at least someone read my article…”. Then I started to wonder, why did I take that for granted?
On its face, you could make the argument that, maybe they mean that you can’t control the information once it’s in the public so you can’t possibly be capable of maintaining its integrity. Or could they really mean that you are concerned about the integrity of the source of the information and that as long as the source integrity is maintained, then your information is good?
Yeah, that justifies the statement. Now we can all sleep peacefully.
But then you read further and statements are made to further qualify the position by providing examples of what types of information are included in this classification:
- Product brochures widely distributed
- Information widely available in the public domain, including publicly available Company web site areas
- Sample downloads of Company software that is for sale
- Financial reports required by regulatory authorities
- Newsletters for external transmission
So if I put those pieces of information together, I can make statements like: We are not concerned about the integrity of the information found in our product brochures. Hmm… don’t think that flies.
Okay, let me try again. We are not concerned about the integrity of the software downloads that our customers (or potential customers) could download from our site. Okay we’re 0 for 2. Remind me never to buy software from anyone who actually thinks this…
Last try. We are not concerned about the integrity of the financial reports required by regulatory authorities. Um, hello, Enron? I think we found your information classification policy.
So which is it? Are the commonly accepted frameworks incorrect? Or are they being widely misinterpreted?
Let’s address the frameworks first:
- ISO guidance states that”All information should be classified into categories. This classification should be based on value, sensitivity, legal requirements, and criticality to the organization. The classification policy should include guidelines for the initial classification and the reclassification of the data. The classification schemes should not be overly complex.” Okay, nothing wrong there.
- The FFIEC Handbook states “A data classification program should be established to identify and rank data, systems, and applications in their order of importance.” I’m good with that too.
- NIST says “The organization must assign assurance categories for all information types that can be associated with both user information and system information, and can be applicable to information in either electronic or non-electronic form. The organization must also assign appropriate assurance categories for each system and information type (low, moderate, or high for confidentiality, integrity, and availability) based upon the potential impact for the loss of each of the just mentioned assurance objectives.”
Well then. I don’t see anything listed in the frameworks that makes any statement on integrity, other than you need to make a determination of integrity for each item/classification.
So what does that leave us with? The mass redistribution of an incorrect statement across the Internet. I would inset a poll to see how many people are surprised by that, but it seems a bit unnecessary.
Somewhere along the way, a policy or guideline was written and publically posted. It was either one of the first references to the subject or had very good search engine results. Because of that, it managed to make its way into many more articles and policies posted online. So much so that the abundance of that information made it assumed to be correct.
So, you should take away two points from this post:
- Yes, the integrity of your public information is vital
- Don’t take for granted everything you read on the Internet
Neither of those should surprise you.