4.8 KiB
Related: ISO_27002_2022_5.12_PE Classification of information
Source: ISMS Alliance Retrieved: September 26, 2022
The simplest form of an information management scheme consists of:
- classification scheme: a list of classifications with definitions to allow people to consistently classify information.
- labelling scheme: a way for documents and other information to be visibly associated with a classification.
- handling rules: information on how to use and protect information with each of the defined classifications.
- process which explains how to use the above three documents (e.g. how to decide who is responsible for classifying a given item of information).
If the classification scheme is too complex, it will confuse people and may result in unintended disclosure and/or preventing intended disclosure. If the scheme is too simple, the same risks occur as it forces people to either over- or under-classify. The UK Government’s only has three classifications above unclassified: Official, Secret and Top Secret.
When designing a classification scheme, decide how few different sets of information handling rules you need.
Classification levels should be compatible with the Freedom of Information Act 2000 (FoIA), which groups information into three classes:
- information that is routinely published
- information that is disclosed, subject to a public interest test
- information that is not disclosed.
There may be some point in sub-dividing the third (and possibly the second) class, e.g. “does not leave the building” and “viewable from outside”.
Note: this also applies to the Data Protection Act 1998.
The UK Government uses Business Impact Levels (BILs). The author thinks the Impact Level tables are "likely to be too complex for practical information classification schemes", but suggests using them as a checklist.
Classifications should take account the information’s requirements for integrity and availability, as well as confidentiality.
Labeling
for digital documents or e-mails the label should be in a standard place in the digital content; for paper it should be on the file or envelope (double envelopes may be required if the actual classification needs to be protected); for on-line systems the label may need to be on a login page if it’s not possible to put it on every screen.
Structured information (CMS, database) will be much easier to label than unstructured information (private folder system, mail, notebooks).
One method for labelling information, which is simple but very effective, is to specify that everything in a particular system, or environment, is automatically of a particular classification. Make sure that information with a higher classification is not entered into the system, and that extracted data is labelled and handled effectively outside the system.
Labelling related to confidentiality can also be used to indicate who should handle the information. When someone not entitled sees information not intended to him/her, they should report a security breach.
Handling
Here is an example of a three-tier approach focused on confidentiality:
| . | Classification 1 (no concern) | Classification 2 (slightly unsettled) | Classification 4 (genuinely scared) | |
|---|---|---|---|---|
| Store, process and transmit - where | Anywhere | Premises of organisation or trusted third party (can take work home with minor precautions) | High security location (can't take work home unless you live in a bunker) | |
| Store, process and transmit - how | Any method allowed | Only approved methods (e.g. encrypted, or via registered post) | Storage only in bunker. Processing with formal approval on high security systems. Hand transport by security personnel only. Face to face discussions only. |
Documenting the handling rules is best done by describing the risk the information should be protected against, an then list the measures that should be taken for the different classification levels, for example:
| Risk | Information should not be seen or heard by unauthorised people | |
|---|---|---|
| . | Sensitive | Don't leave papers lying around; lock your screen when you leave it; don't have conversations or phone calls in public places. |
| . | Highly Sensitive | Keep paper under lock and key; password-protect individual files; have conversations only in private offices. |
Related
Related ISO 27x:2022 controls:
- 5.12 Classification of information
- 5.10 Acceptable use of information and other associated assets
- 5.13 Labelling of information
- 5.14 Information transfer
- 5.15 Access control