Image by recursion_see_recursion via Flickr
Toys. Clothes. Books. Trash.
These four simple categories were assigned to items to assist my six-year-old daughter in understanding how to clean and organize her room. In doing so, we’ve intuitively classified each area’s importance.
Trash hopefully has an obvious classification to her. We don’t care much about what kind of trash it is or where it ends up as long as it’s in a trash can.
Books are on the other end of the spectrum from trash. We teach that they are to be respected and cared for. They have a particular place on her shelves and should always go there. In the scope of my daughter’s room, this holds the highest level of classification.
Clothes and toys, each independent of each other, are items that further decisions may need to be made about before an action is taken. Are the clothes clean? Then place them in the appropriate drawer. Dirty? Then they are placed in the basket, not kicked under the bed. Toys have a particular destination based on their type, size, etc.
Companies (should) have categories for their information so associates understand how to handle it. Handling information appropriately maintains the integrity of and reduces risk to the company. This is the thought I want you to carry with you as you approach any information classification policy.
Information classification is not about technologies (DLP (Data Loss Prevention/Protection) vendors often cringe when I say this). It’s about an education and awareness initiative that informs associates how to handle information. It is ultimately the person handling the information (often referred to as a “data owner”) that has the most knowledge about its content and is best able to make the informed decision about its treatment. That doesn’t mean that technology doesn’t have a place in your program. As an enforcement and reporting mechanism, it can serve a distinct purpose. I’ll address DLP in another post.
While companies are required to be compliant with many regulations (GLBA, HIPPA, SOX) and have programs that subscribe to methodologies or frameworks (Six Sigma, ITIL, ISO ), no entity will provide comprehensive oversight to all the areas where we create, manage or distribute information. Therefore it is incumbent upon us to, with those constraints in mind, to create a policy that supports them and is applicable to our information.
Generally speaking, there are typically four classes of data:
Public or Unclassified Information
This type of data can be made public without consequence to a user or the company. The integrity of this information is not vital.
Internal Use Only or Restricted Information
Access to this type of information should generally be prevented; however, if it became public, the consequences are not critical. Internal access is selective. Data integrity is important but not vital.
Confidential or Classified
Data in this class is confidential within the company and protected from external access. If such data were to be accessed by unauthorized persons, it could influence the company’s operational effectiveness, cause financial loss, provide a significant gain to a competitor or cause a major drop in customer confidence. Data integrity is vital.
Proprietary or Secret
Unauthorized external or internal access to this data is critical to the company. Data integrity is vital. The number of people with access to this data is very small. Very strict rules must be adhered to in the usage of this data. This is usually your “secret sauce”. If this isn’t protected, things like “New Coke” can happen.
Unless you are working for a government agency or watching a movie, this often doesn’t come into play, but I’d be remiss not to bring it up. Most definitions of Top Secret include works like “grave” “exceptionally grave” “really really really bad” in reference to the consequences of disclosure. It’s good to know this exists. If you are in a job where this is necessary, you already know and this blog isn’t telling you something you don’t already know…. I hope…
Wash. Rinse. Repeat. (Remember, it’s a process)
When my daughter gets frustrated because her three-year-old sister took books out and didn’t put them back, I know that we are making progress. As you begin to use information classification in practice, it will become intuitive to you in your daily work. You’ll know exactly how to handle information as easily as you know what belongs in the trash and what should be placed on the bookshelf.