Information Classification

There is an increasing need for businesses to protect their customer and financial information for a variety of reasons. It makes good business sense to categorize corporate information based on business risk and data value. Not all information has the same value or application, or is subject to the same types of risks. Therefore, protection mechanisms, recovery processes etc. are different.

The goal of information classification is to reduce the cost of data protection while also improving the overall quality of corporate decision-making by ensuring a higher quality of data/information on which decision-makers rely. The increasing complexity of information and technological sophistication make classification difficult, but information can be protected through mechanisms such as information security policies and risk analysis.

Why Information Classification?

• Legal Obligations, industry and customer expectations.
• Formally documenting information sources and the individuals who are responsible for their protection provides a framework to ensure that the right people are involved in the provisioning process.
• The company can reduce most of its information protection cost as the protection mechanisms can be designed & implemented where they are needed most & less costly controls can be put in place for non-critical information.
• Implementing an information classification system exemplifies an organization’s commitment to protecting customer information while strategically this could provide a competitive advantage over companies who have not considered information protection seriously.
• Provides a realistic yardstick against which to measure company compliance and provide employees more defined goals to work towards.

How to conduct Information Classification?

Identify all information sources that need to be protected

Create a high-level description of the company's information sources, where the data resides, existing security measures, information owners, information custodians responsible for maintaining the information, end users, and resource type.

Identify information protection measures that map to information Classification Levels

Information protection goals can be obtained from various sources such as the company's  Information Security Policy.  Information may also come from technical support teams, information custodians, business champions, and managers. There may also be regulatory and legal requirements to consider.

Individual access Vs Role Based Access, Various Levels of Authorization/Authentication, System backup, redundancy, disposal methods, data retention periods and Disaster Recovery are examples of information protection measures.

Identification of Information Classification Levels

Information  Classification Levels should convey the protection goals being addressed.

All business information shall be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization by the relevant information owner into one of the four classification levels (Strictly Confidential, Confidential, Internal Use Only, Public) defined in the Company information classification standards.

Map information protection measures to information Classification Levels

Before information can be classified, the protection measures must be mapped to the information Classification Levels to reflect company protection goals.

Information Classifying and Labeling

In this step, the classification levels and protection measures must be applied to the sources. The main objective is to validate that the protection measures associated with the classification are appropriate for the information source.