One of the responsibilities assigned to me in my current position is the development and implementation of a comprehensive information security policy. In line with the premise that what you do not know about, you cannot protect, I started with drafting an information classification policy.

In researching that policy at other organizations, most of the examples that I found focused on the well-known categories: public, sensitive, and confidential, or variations on that theme.


However, information security is commonly defined at establishing and maintaining appropriate levels of confidentiality, integrity and availability, and just using the classification mentioned above seems to focus exclusively on the confidentiality aspect.

Security classifications are typically associated with Mandatory Access Control (MAC),
which assigns security labels to objects, and requires subjects to have
certain clearances. For example, when a subject has a clearance of
'Secret', he is allowed to "do stuff" with all objects that are
classified Secret or lower.

This model is called the Bell-LaPadula model (BLP). BLP has two main rules:
  1. Simple
    security property; a subject at a given security level may not read any
    objects that are assigned at a higher security level. In other words,
    John may not read objects classified as 'Top Secret' if his clearance
    is 'Secret'.
  2. The Star Property; a subject may not write to any
    level that is lower than his clearance. In other words; if John's
    clearance is 'Secret', all his writing will be classified as 'Secret',
    or higher. This prevents John from copying 'secret' documentation and
    re-publishing it as 'public'
BLP focuses on the confidentiality of information. Similarly, another model, known as Biba, focuses on the integrity-aspect of information. The Biba model's rules are
  1. Simple security property; a subject may not read an object at a lower integrity level, and
  2. A subject may not write to an object of a higher security level.
Still,
as logical as these models sound, it is very hard to implement them in
a non-military organization. Especially if that organization is an
academic institution. Current legislature complicates things only more.
For example, the payment card industry's data security standard (PCI DSS) focuses predominantly on maintaining confidentiality of card holder data. HIPAA focuses on securing access to medical records. The State department regulates access to passport records.

While
most of these measures are meant to protect the integrity as well as
the confidentiality of the information in question, the emphasis is
generally placed on the latter.

Another common pitfall with
information classification schemes is that they are often very complex.
There are multiple schemes and multiple levels. Each scheme and each
level comes with its own requirements and guidelines.

When I started developing my current data classification policy, my goal was to stay pragmatic and keep it simple yet effective. After a number of iterations, I came up with the following recipe
  1. Identify chunks of information
  2. Assign a formal owner to each chunk
  3. For each chunk, work with the owner to classify the information in terms of
    • Required level of Confidentiality
    • Required level of Integrity
    • Required level of Availability
  4. The classification of each of these dimensions can be either Low, Normal, or High.
  5. Work with the owner to describe required controls for each of these levels.
Obviously, there are some problems here:
  1. How
    large is a chunk? As a good business person, the answer is always "That
    depends". A chunk must be big enough to be meaningful, yet small enough
    to be consistent. How large that is depends on the context.
  2. How
    do you ensure that not everyone classified all their data as HHH?
    Simple; Assign cost to it. Remember, each level will be associated with
    required controls, and those controls will have cost associated with them
So
far, the feedback that I have been getting is very good. When properly
explained, I was pleasantly surprised how realistic people are with
regards to the information that they 'own'. Classifications of LLL or
NNL are not unusual.


Update: the references to Wikipedia included in this post should not be considered authoritative, or even correct. They merely serve the purpose of illustrating the models 'at a glance'. For in-depth reading, please consult the original publications.