One of the responsibilities assigned to me in my current position is the development and implementation of a comprehensive information security policy. In line with the premise that what you do not know about, you cannot protect, I started with drafting an information classification policy.
In researching that policy at other organizations, most of the examples that I found focused on the well-known categories: public, sensitive, and confidential, or variations on that theme.
However, information security is commonly defined at establishing and maintaining appropriate levels of confidentiality, integrity and availability, and just using the classification mentioned above seems to focus exclusively on the confidentiality aspect.
Security classifications are typically associated with Mandatory Access Control (MAC),
which assigns security labels to objects, and requires subjects to have
certain clearances. For example, when a subject has a clearance of
'Secret', he is allowed to "do stuff" with all objects that are
classified Secret or lower.
This model is called the Bell-LaPadula model (BLP). BLP has two main rules:
security property; a subject at a given security level may not read any
objects that are assigned at a higher security level. In other words,
John may not read objects classified as 'Top Secret' if his clearance
- The Star Property; a subject may not write to any
level that is lower than his clearance. In other words; if John's
clearance is 'Secret', all his writing will be classified as 'Secret',
or higher. This prevents John from copying 'secret' documentation and
re-publishing it as 'public'
- Simple security property; a subject may not read an object at a lower integrity level, and
- A subject may not write to an object of a higher security level.
as logical as these models sound, it is very hard to implement them in
a non-military organization. Especially if that organization is an
academic institution. Current legislature complicates things only more.
For example, the payment card industry's data security standard (PCI DSS) focuses predominantly on maintaining confidentiality of card holder data. HIPAA focuses on securing access to medical records. The State department regulates access to passport records.
most of these measures are meant to protect the integrity as well as
the confidentiality of the information in question, the emphasis is
generally placed on the latter.
Another common pitfall with
information classification schemes is that they are often very complex.
There are multiple schemes and multiple levels. Each scheme and each
level comes with its own requirements and guidelines.
When I started developing my current data classification policy, my goal was to stay pragmatic and keep it simple yet effective. After a number of iterations, I came up with the following recipe
- Identify chunks of information
- Assign a formal owner to each chunk
- For each chunk, work with the owner to classify the information in terms of
- Required level of Confidentiality
- Required level of Integrity
- Required level of Availability
large is a chunk? As a good business person, the answer is always "That
depends". A chunk must be big enough to be meaningful, yet small enough
to be consistent. How large that is depends on the context.
do you ensure that not everyone classified all their data as HHH?
Simple; Assign cost to it. Remember, each level will be associated with
required controls, and those controls will have cost associated with them
far, the feedback that I have been getting is very good. When properly
explained, I was pleasantly surprised how realistic people are with
regards to the information that they 'own'. Classifications of LLL or
NNL are not unusual.
Update: the references to Wikipedia included in this post should not be considered authoritative, or even correct. They merely serve the purpose of illustrating the models 'at a glance'. For in-depth reading, please consult the original publications.