Classify Information and Supporting Assets for Asset Security
Information and data, in all their various forms, are valuable business assets that require security. As with other, more tangible assets, the information’s value determines the level of protection required by the organization.
A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure and its criticality to the organization’s mission or purpose, and helps the organization determine the appropriate level of protection. Additionally, data classification schemes may be required for regulatory or other legal compliance.
Applying a single protection standard uniformly across all of an organization’s assets is neither practical nor desirable. In such a case, either non-critical data is over-protected or critical data is under-protected.
An organization’s employees also need to understand the classification schema being used, how to classify information assets, handling and safeguarding requirements, and proper destruction or disposal procedures.
Commercial data classification
Commercial data classification schemes are typically implemented to protect information that has a monetary value, to comply with applicable laws and protect privacy, and to limit liability. Criteria by which commercial data is classified include
- Value: The most common classification criterion in commercial organizations. It’s based on monetary value or some other value.
- Age/useful life: Information that loses value over time, becomes obsolete or irrelevant, or becomes common/public knowledge is classified this way.
- Regulatory requirements: Private information, such as medical records subject to HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act) regulations and educational records subject to the Privacy Act, may have legal requirements for protection. Classification of such information may be based not only on compliance but also on liability limits.
Descriptive labels are often applied to company information, such as Confidential and Proprietary and Internal Use Only. However, the organizational requirements for protecting information labeled as such are often not formally defined. Organizations should formally identify standard classification levels as well as specific requirements for labeling, handling, storage, and destruction/disposal.
Government data classification
Government data classification schemes are generally implemented to
- Protect national interests or security.
- Comply with applicable laws.
- Protect privacy.
One of the more common systems, used within the U.S. Department of Defense (DoD), consists of five broad categories for information classification: Unclassified, Sensitive but Unclassified (SBU), Confidential, Secret, and Top Secret.
Within each classification level, certain safeguards are required in the use, handling, reproduction, transport, and destruction of Defense Department information. In addition to having an appropriate clearance level at or above the level of information being processed, individuals must have a need to know before they can access the information. Those who need to know are those who require the information so as to perform an assigned job function.
The lowest government data classification level is Unclassified. Unclassified information isn’t sensitive, and unauthorized disclosure won’t cause any harm to national security. Unclassified information may include information that was once classified at a higher level but has since been declassified by an appropriate authority. Unclassified information isn’t automatically releasable to the public and may include additional modifiers such as For Official Use Only or For Internal Use Only.
Sensitive but Unclassified (SBU)
Sensitive but Unclassified information is a common modifier of unclassified information. It generally includes information of a private or personal nature. Examples include test questions, disciplinary proceedings, and medical records.
Confidential information is information that, if compromised, could cause damage to national security. Confidential information is the lowest level of classified government information.
Secret information is information that, if compromised, could cause serious damage to national security. Secret information must normally be accounted for throughout its life cycle, all the way to its destruction.
Top Secret information is information that, if compromised, could cause grave damage to national security. Top Secret information may require additional safeguards, such as special designations and handling restrictions.
An individual must have the appropriate clearance level and need-to-know for access to classified information.