It doesn’t really matter where you live in the world, the chances are that your country has been hit by some high profile data loss scandal during the course of the last year or so. Everything from retail operations such as TJ Maxx losing the odd 40 million or so customer credit card details to a clever hacker right through to the UK Government literally losing personal and financial data about 25 million people when two discs containing a social security benefits database went missing in the post. The common thread is that there is a need for better information classification, and a consequent implementation of data protection measures based on the level of sensitivity and confidentiality that classification demands, according to the Information Security Forum (ISF).
In its latest report, the ISF suggests that because many existing approaches to information classification are overly complex they rarely deliver business benefits and are often simply ignored. "Traditional Information classification is characterised by the 'Top Secret' rubber stamp in James Bond films," says Nick Frost, the report's author and senior research consultant at the ISF. "Today, information exists in many different forms, from paper documents and verbal communications to the masses of electronic data stored, transmitted and processed. While introducing an effective enterprise wide scheme is daunting, organisations can no longer afford to ignore its importance if further embarrassing data loses are to be avoided." Information classification requires a consistent process to determine the level of confidentiality of a piece of information; the development of techniques for communicating the level of classification; and the practical implementation of measures to protect information accordingly.
According to the report the benefits of successful Information Classification are considerable, by ensuring that information is adequately protected good information classification helps to prevent over- or under-engineering of controls, so reducing potential operational overspend and unnecessary drains on resources. It can also help to enforce better access control policies and be used to demonstrate compliance for legislation such as Data Protection and Privacy along with regulations including HIPAA and Gramm-Leach Bliley.
The report highlights that to achieve these levels of success requires participation across an organisation from HR and Legal to IT and Audit, along with Board level support. "Having senior managers with a shared strategic vision and understanding of information classification and the value it can deliver is critical to overcome budgetary and organisational issues," says the ISF's Nick Frost: "It is also vital to run a successful pilot project to show a 'quick win' to demonstrate the benefits."