Information Classification and Labelling Policy

An organization shall define its Information Classification and Labeling Policy.

For example,

"All business information shall be classified and labeled based on the business requirement and sensitivity of the information as "Strictly Confidential", “Confidential”, “Internal Use Only” or “Public.”

Information Classification

The classification level shall be defined in terms of its value, legal requirements, sensitivity, and criticality to the organization by the relevant information owner considering one of the classification levels defined under information classification standards (Ex: Confidential, Internal Use Only, or Public).

The information owner shall reclassify information once the defined classification level no longer applies to the information.

Information Labeling

Information Owner/ Information Custodian shall immediately label after creating information as per the classification level.

Head of the Business Unit shall be responsible to ensure that the sectional documents (in any format- paper-based or electronic) are clearly labeled with the classification.

All unlabeled information shall be considered “Confidential” until it is classified under the appropriate category.

All older versions of documents/unused/obsolete documents shall be marked as “OBSOLETE” clearly to avoid reference or usage by mistake.

The label shall be comprised of the following basic fields and it shall be clearly visible. 

• Name & Section of the Owner
• Date of preparation
• Date of expire
• Archival period
• Classification Personal

Business Units can include additional details in addition to the above.

Sensitive information shall not be included in the label content as exposing confidential or internal use information.

Sample Classification can be as follows,

Information Classification

There is an increasing need for businesses to protect their customer and financial information for a variety of reasons. It makes good business sense to categorize corporate information based on business risk and data value. Not all information has the same value or application, or is subject to the same types of risks. Therefore, protection mechanisms, recovery processes etc. are different.

The goal of information classification is to reduce the cost of data protection while also improving the overall quality of corporate decision-making by ensuring a higher quality of data/information on which decision-makers rely. The increasing complexity of information and technological sophistication make classification difficult, but information can be protected through mechanisms such as information security policies and risk analysis.

Why Information Classification?

• Legal Obligations, industry and customer expectations.
• Formally documenting information sources and the individuals who are responsible for their protection provides a framework to ensure that the right people are involved in the provisioning process.
• The company can reduce most of its information protection cost as the protection mechanisms can be designed & implemented where they are needed most & less costly controls can be put in place for non-critical information.
• Implementing an information classification system exemplifies an organization’s commitment to protecting customer information while strategically this could provide a competitive advantage over companies who have not considered information protection seriously.
• Provides a realistic yardstick against which to measure company compliance and provide employees more defined goals to work towards.

How to conduct Information Classification?

Identify all information sources that need to be protected

Create a high-level description of the company's information sources, where the data resides, existing security measures, information owners, information custodians responsible for maintaining the information, end users, and resource type.

Identify information protection measures that map to information Classification Levels

Information protection goals can be obtained from various sources such as the company's  Information Security Policy.  Information may also come from technical support teams, information custodians, business champions, and managers. There may also be regulatory and legal requirements to consider.

Individual access Vs Role Based Access, Various Levels of Authorization/Authentication, System backup, redundancy, disposal methods, data retention periods and Disaster Recovery are examples of information protection measures.

Identification of Information Classification Levels

Information  Classification Levels should convey the protection goals being addressed.

All business information shall be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization by the relevant information owner into one of the four classification levels (Strictly Confidential, Confidential, Internal Use Only, Public) defined in the Company information classification standards.

Map information protection measures to information Classification Levels

Before information can be classified, the protection measures must be mapped to the information Classification Levels to reflect company protection goals.

Information Classifying and Labeling

In this step, the classification levels and protection measures must be applied to the sources. The main objective is to validate that the protection measures associated with the classification are appropriate for the information source.

End-Point Security

What is End-Point Security?

Endpoint security is the process of protecting computers, laptops, mobile phones, and tablets from cyberattacks and malicious threats.

Endpoint security software allows businesses to protect employees' work devices from cyber threats, whether they are on a network or in the cloud.

Given the sheer number of endpoints used to connect to networks, they are one of the most common targets. According to Strategy Analytics insight, there were 22 billion connected devices in 2018, with 38.6 billion devices expected by 2025 and 50 billion devices expected by 2030. As a result, according to Verizon's threat report, malware was installed on endpoints in up to 30% of data breaches.

The Human Element – It means “You” and “Me”!!! 

Employees have a critical role to play in cybersecurity. In fact, a compelling report published in 2022 by the World Economic Forum linked 95 percent of data breaches to human error. Common errors include being duped by phishing attacks, downloading malware, not updating apps, oversharing information on social media, and practicing poor password hygiene. These types of errors happen both in a business and personal context, so awareness at all times is regarded as increasingly important.

Endpoints Create Larger Attack Surfaces

Digital transformation strategies have widened the potential attack surface in IT environments and lead to increased data security risks. The hybrid work arrangements that have become the norm since the pandemic further increase the attack surface as employees connect to business resources and apps from multiple devices, including their mobile devices. Threat actors prize sensitive customer data when conducting cyber-attacks because this valuable information commands a high price on dark web marketplaces. Ransomware attacks often involve a data exfiltration component because threat actors believe they can hold organizations to ransom with the threat of publishing stolen information.

Privacy

Increased recognition of privacy risks led to an increase in new compliance regulations and the strengthening of existing laws over the last few years. Organizations need to ensure compliance with these laws to protect sensitive data belonging to their customers. Falling foul of these laws by not implementing appropriate security measures leads to severe reputational and monetary risks. At an individual level, societal technology changes pose increased “online” privacy risks. As more services become digitized, app-based, and interconnected, individuals need to share more of their information with different parties.

How to Protect the Endpoints

Prevent data loss where it happens most!!!

If we were to focus on the sensational information coming from the media, it would be easy to believe that the number one reason for data loss is cyberattacks performed by skilled, professional black-hat hackers. This, however, is far from the truth!!! Most data breaches are the result of human error, not malicious activities. Therefore, User Awareness is a must when it comes to endpoint security as well.