Have you classified that information?

Why classify information?

Information should be classified so that everyone with access knows how to protect it.

To protect information consistently, it is of paramount importance that there is a pan-organisational scheme for classifying information. This scheme should also inform users how information should be handled according to its requirements for confidentiality, integrity and availability. To elaborate further, the classification of data helps determine what baseline security controls are appropriate for safeguarding that data. By implementing an information classification scheme the organisation can endeavour to meet its legal, ethical and statutory obligations
Information classification can also protect the interests of the stakeholders of the organisation and about whom the organisation may hold information.

Levels of information classification

There are several levels of classification that can be applied to information. For example, HM Government Security Classification includes: Official, Secret and Top Secret which is based on 4 principles. Not all organisations may require such stringent principles when adopting an information classification scheme. However, each organisation must evaluate the risks in terms of reputational loss, loss of business, lawsuits, inadvertent disclosure of information. In some cases, an external partner may not share any further information if the organisation has been known to share information without appropriate controls e.g. encryption.

I’ve outlined some simple steps to help you get started.

Information Management Policy and guidance

It is important to develop an information management policy and guidance for your organisation. This should be commensurate with risks that your organisation may face and the expectations of your stakeholders. It is necessary to consider the legal and regulatory requirements of the country that your organisation operates in. It is also very helpful if a process for classifying and handling information is developed and adopted.

Awareness Training

Staff should undergo awareness training to ensure that they are aware of their responsibilities in managing information that they’ve been entrusted with. This can be tailored according to the kind of information that the staff deal with. Awareness training must be regularly carried out with periodic refresher courses as necessary.

At UCL, we have created a classification tool to help with classifying a specific information asset. See https://opinio.ucl.ac.uk/s?s=45808

If you are from UCL, please see the UCL Information Management Policy here:
Please do contact the Information Security Group if you need more information.

References:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf