Welcome to this, the sixth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.
The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.
DATA CLASSIFICATION CRITERIA
An important task for the Information Security Manager (or the person who is assigned these duties) is to establish a system to classify the organization's data with respect to its level of confidentiality/importance.
It is advisable to restrict the number of classification levels in your organization to a manageable number, as having too many makes maintenance and compliance difficult. For those currently without a structure, we suggest a five point system:
- Public Documents: Information in the public domain: annual reports, press statements etc. which have been approved for public use. Security at this level is minimal.
- Internal Use Only: Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility. Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.
- Proprietary: Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for use by authorized personnel only. Security at this level is high.
- Highly Confidential: Information that is considered critical to the organization's on-going operations and could seriously impede them if made public or shared internally. Such information includes business plans, accounting information, the sensitive information of customers of banks, solicitors, or accountants etc.; patients' medical records, and similar very sensitive data. Such information should not be copied or removed from the organization's operational control without specific authority. Security should be very high.
- Top Secret: Highly sensitive internal documents. For example: impending mergers or acquisitions; investment strategies; plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
Care should always be applied regarding a user's tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level assigned to a user's work can reflect directly on the individual's own level of importance within the organization.