Control your data so you don’t end up on Wikileaks too!

Seal of the United States Department of State....

Image via Wikipedia

As noted in this Washington Post article, Investigations have now determined the system that stored the information disclosed by Wikileaks had quite a few failures of process and procedure that lead to the “leaking” of the 250,000 documents.

From a pure information security standpoint, the Information Classification Policies, the Access Control (monitoring), and the Data Handling procedures all contributed to the loss of the diplomatic cables.

  • Information Classification – Everyone has an idea of information classification from watching movies and seeing file folders with the words “TOP SECRET” stamped in RED on the outside.  Well we don’t use the plain manila folders as much anymore and rely on computers to store and disseminate information.  To do so, information has to be properly classified and flagged so it exists in the right systems and is available to the right audience.  In the case of this particular Defense Department system it appears that those responsible for flagging the data have done so incorrectly on many, many occasions.  The article already states that this was done in error as embassy employees were putting information into the system without knowing what the codes meant.  So at the root of the issue here is that users had access to the system and information without complete understanding/training.
  • Access Control (monitoring) – I added monitoring to this because it’s not a pure access control issue.  The State Department has made it practice to place monitoring tools on their systems so they can “know” where information goes as well as help prevent it from being used in an inappropriate manner.  DLP (Data Loss Prevention) products are commonly used for this type of activity.  Unfortunately the Defense Department much not be as on the ball as the State Department in making sure they are monitoring the use of their data.  However it doesn’t absolve the State Department either as they should be also aware of where their information exists (as difficult as that really is) and help control it.
  • Data Handling – you add the last two issues up and you’ve now provided the opportunity for someone do mishandle data.  Wether that means you accidentally print or move a file or you copy 250,000 files to a CD and give them to someone without proper security clearance (I believe we call that espionage).  Regardless the system users are also trained on what they should do (called handling) with data.  Certain things you don’t print, you can’t email documents or information, you don’t put them on removable media.  This is part in parcel to having a security clearance.  Granted the next step in access the information is the matter of “need to know” and our initial issue with the misclassification of the documents provided access to many people without the need to know.

So prior to 9-11 we had systems that were too closed and information sharing was blamed as a root cause for not being able to detect the planning of the attacks.  Now 10 years later the pendulum has swung the other direction and we are sharing to the point of being careless with information.  From the surface it appears that some better training and enforcement of current policies and procedures would help bring that pendulum back to the center while also keeping the appropriate people informed to keep us all safe.



Why We Classify

Information architecture made easy

Image by recursion_see_recursion via Flickr

Toys.  Clothes.  Books.  Trash.

These four simple categories were assigned to items to assist my six-year-old daughter in understanding how to clean and organize her room. In doing so, we’ve intuitively classified each area’s importance.

Trash hopefully has an obvious classification to her. We don’t care much about what kind of trash it is or where it ends up as long as it’s in a trash can.

Books are on the other end of the spectrum from trash. We teach that they are to be respected and cared for. They have a particular place on her shelves and should always go there. In the scope of my daughter’s room, this holds the highest level of classification.

Clothes and toys, each independent of each other, are items that further decisions may need to be made about before an action is taken. Are the clothes clean? Then place them in the appropriate drawer. Dirty? Then they are placed in the basket, not kicked under the bed. Toys have a particular destination based on their type, size, etc.

Companies (should) have categories for their information so associates understand how to handle it. Handling information appropriately maintains the integrity of and reduces risk to the company. This is the thought I want you to carry with you as you approach any information classification policy.

Information classification is not about technologies (DLP (Data Loss Prevention/Protection) vendors often cringe when I say this). It’s about an education and awareness initiative that informs associates how to handle information. It is ultimately the person handling the information (often referred to as a “data owner”) that has the most knowledge about its content and is best able to make the informed decision about its treatment.  That doesn’t mean that technology doesn’t have a place in your program.  As an enforcement and reporting mechanism, it can serve a distinct purpose.  I’ll address DLP in another post.

While companies are required to be compliant with many regulations (GLBA, HIPPA, SOX) and have programs that subscribe to methodologies or frameworks (Six Sigma, ITIL, ISO ), no entity will provide comprehensive oversight to all the areas where we create, manage or distribute information. Therefore it is incumbent upon us to, with those constraints in mind, to create a policy that supports them and is applicable to our information.

Generally speaking, there are typically four classes of data:

Public or Unclassified Information

This type of data can be made public without consequence to a user or the company.  The integrity of this information is not vital.

Internal Use Only or Restricted Information

Access to this type of information should generally be prevented; however, if it became public, the consequences are not critical. Internal access is selective. Data integrity is important but not vital.

Confidential or Classified

Data in this class is confidential within the company and protected from external access. If such data were to be accessed by unauthorized persons, it could influence the company’s operational effectiveness, cause financial loss, provide a significant gain to a competitor or cause a major drop in customer confidence. Data integrity is vital.

Proprietary or Secret

Unauthorized external or internal access to this data is critical to the company. Data integrity is vital. The number of people with access to this data is very small. Very strict rules must be adhered to in the usage of this data.  This is usually your “secret sauce”.  If this isn’t protected, things like “New Coke” can happen.

Top Secret

Unless you are working for a government agency or watching a movie, this often doesn’t come into play, but I’d be remiss not to bring it up. Most definitions of Top Secret include works like “grave” “exceptionally grave” “really really really bad” in reference to the consequences of disclosure.  It’s good to know this exists.  If you are in a job where this is necessary, you already know and this blog isn’t telling you something you don’t already know…. I hope…

Wash.  Rinse.  Repeat.  (Remember, it’s a process)

When my daughter gets frustrated because her  three-year-old sister took books out and didn’t put them back, I know that we are making progress. As you begin to use information classification in practice, it will become intuitive to you in your daily work. You’ll know exactly how to handle information as easily as you know what belongs in the trash and what should be placed on the bookshelf.