Securely Classifying, Labelling and Handling Information
Everyone has probably watched a movie where someone says something along the lines of “I am afraid I can’t tell you, as that information is classified”. This article looks at how information classification can help us understand the value and sensitivity of information and how the information should be handled and protected.
Information in your company will vary greatly in both sensitivity and value. For example information relating to an undisclosed merger with a direct competitor is far more sensitive and valuable than a company press release about a new product.
As a result, information classification is used to help identify these different levels of sensitivity and value. Each classification level dictates how information at that level should be protected and handled. All information should be protected according to its classification level whether at rest or in transit.
All information should have an owner and the owner is responsible for ensuring the information they own is appropriately classified.
Common Information Classification Levels
A commonly used classification structure of four different levels follows below.
- Is extremely sensitive and of the highest value to the company
- Unauthorized access or disclosure would be critically damaging to the company
- Access should be limited to a very small number of named and authorized individuals
- Examples: Passwords, medical records, firewall configurations and details on impending mergers or acquisitions.
- Is sensitive and confidential within the company
- Unauthorized access or disclosure would affect the company’s ongoing operations
- Access should be limited to those with a legitimate business need
- Examples: Salaries, contracts, personal identity data and customer account numbers.
- Is non-sensitive and used for day to day operations within the company
- Unauthorized access or disclosure would be an inconvenience, but not critical
- Access should be limited to workers within the company
- Examples: Company worker directory, internal communications or emails, project plans or meeting minutes.
- Is non-sensitive and can be made publicly available
- Unauthorized access or disclosure would not be an issue
- Access does not need to be limited to anyone
- Examples: Press release, product brochures, annual reports
Labelling and Handling Information
Once classified, information must be appropriately labeled and handled in accordance with its level of classification. The following guidance outlines minimum controls for how sensitive information (i.e. Secret or Confidential using the classification scheme above) should be labeled, stored, transferred and disposed of. Your company may exercise even tighter controls.
- Sensitive electronic information should state the classification level within the document (i.e. in the header, footer, subject line etc.)
- Sensitive physical information should be clearly marked with the classification level on the document
- Sensitive electronic information must be encrypted at all times when stored and kept in an access controlled folder or directory.
- Sensitive physical information should be stored in a locked drawer, cabinet within a locked office.
- Sensitive electronic information must be encrypted at all times when emailed or electronically transferred.
- Sensitive physical information should be transferred in sealed, tamper-proof packaging and a trusted courier should be used.
- Sensitive electronic information must be securely wiped when no longer required and it is recommended that the filespace be overwritten.
- Sensitive physical information must be securely shredded using a minimum of a cross-cut shredder.