How are classified documents marked?
Get out of the policy - get into your heads! Successful introduction of information classification in the company
2011#6, page 12
Rubric: Management and Knowledge
Keyword: information classification
Summary: Information is the most important asset of a company today - development data, strategy plans, unpublished financial statements, etc. must be protected according to their high value. But first a correct and consistently "lived" classification is necessary.
Author: By Frank von Stetten and Andreas Schnitzer, Garching
Not all information has the same value: its meaning can be defined by the damage that the company would suffer if the information fell into the wrong hands - the greater this potential damage, the stronger security measures are justified or must be taken. For advertising brochures on the Internet, it makes sense to set a different protection requirement and invest less effort than for the latest results from the research department.
In order to be able to carry out appropriate risk assessment and security measures, one first needs a categorization of the value of information. In information security, this is usually done using confidentiality classes - a typical four-level system for corporate use is shown in Table 1.
|Potential harm||Becoming aware of the information has no negative impact.||Becoming aware of the information can make one low to medium damage cause.||Becoming aware of the information can make one great damage cause.||Becoming aware of the information can make one existential damage cause.|
|example||Publications, brochures||Price lists, process descriptions, organizational charts||Personal data, balance sheet data||Development data, corporate strategy|
Table 1: Typical confidentiality classes in companies
The division into confidentiality classes (information classification) also makes it clear to every user of the information what damage the company can do if the information is handled carelessly or if this information becomes known undesirably. Associated with this are generally rules and guidelines (policies) for handling classified information in order to reduce the risk of unwanted disclosure.
Figure 1: Problem of an information classification that is not "lived"
But as long as classifications and rules for handling information are only present in the policies, but not in the minds of the employees, there are still high risks for an undesired outflow of information (see Fig. 1). During and after the introduction of information classification, those responsible for information security in companies and other organizations are confronted with three major challenges, which are explained below.
Classification of information
First of all, the person responsible for information (usually a manager) assesses the damage that can occur if the information falls into the wrong hands and creates specifications for the classification according to the damage potential.
For the actual classification of information, however, the creator of the information is usually required - the respective employee should define the confidentiality class when writing an e-mail, saving construction data or drawing up a balance sheet (according to the specifications of the information officer).
However, information is in a large part of the company Not classified when it was created, since most of the creators are not even aware of the confidentiality classes and their effects on the handling of the information. As long as the classification is not integrated into the daily work flow, it is often omitted or simply forgotten.
Identification of information
As a "consequential error" of a classification that was not carried out or was incorrectly carried out, most of the information is missing the marking according to its confidentiality class, although guidelines mostly provide for this.
Handling of information
As a consequence, further processing departments - even with good will - cannot always recognize the value of information and therefore often do not deal with it in accordance with the guidelines. As a result it can happen that the information
- is not kept sufficiently secure,
- Becomes accessible to people who do not belong to the defined group of users,
- transmitted unencrypted (e.g. e-mail) or
- is not appropriately and safely destroyed during disposal.
Unfortunately, the information classification is not "lived" in many companies and the information is therefore handled incorrectly and often in a security-threatening manner due to a lack of knowledge of its value and the associated processes.
The solution to these essential challenges lies in a multi-stage process, which is to be explained based on the learning model of the psychologist Alfred Bandura, according to which people can achieve four unconscious and conscious levels of competence, as listed in Table 2 and explained using examples.
|step||General example||For information classification|
|Unconscious incompetence||You grow up in the jungle and you don't know what a car is. You can't drive, but you don't mind either.||You do not know the information classes in the company. You don't mind either.|
|Conscious incompetence||You come into town and see cars. You now know that you cannot drive a car.||You know there are classes of information, but you don't know how to use them.|
|Conscious competence||You attend a driving school and learn to drive. However, it is still difficult for you to exercise.||You will learn the meaning of the individual classes and how to use them. In everyday life, however, you rarely or never use the classes.|
|Unconscious competence||You are an experienced driver who drives safely on the motorway at 180 km / h without causing an accident.||Information classification is anchored in your day-to-day work and has become an automatism.|
Table 2: Levels of competence according to Bandura with examples
In order to bring the information classification from Bandura's level of "unconscious incompetence" to the desired level of "unconscious competence", it is necessary to take different measures in several stages. Because a mere publication of the information security guidelines usually only reaches the level of unconscious incompetence among employees: They often do not even notice that a new policy with confidentiality classes exists.
Figure 2: Multi-level measures to anchor the information classes (based on A. Bandura's learning model)
Classical training measures from the area of security awareness (e.g. classroom training, web-based training, flyers or posters) enable the creators and users of information (thus generally all employees and managers) to learn the confidentiality classes and the associated effects on handling Know about information and understand it in principle: You now know that "confidential" information must be protected better than "internal" information and that one should be careful with whom one shares which information.
Although these "general measures" are well suited for basic awareness raising, they are generally not sufficient to induce employees to actively classify information: The handling has not yet been practiced, the associated understanding of one's own work environment is still very generic .
As a third step, the security department can offer "workshops on information classification" in the departments of the information officers. In such a two-hour workshop, for example, the employees of the HR department divide their most important information into the defined confidentiality classes and, under the guidance of the department head and moderated by the security officer, discuss the different perspectives on the value of this information.
Such an active engagement with the information classification usually causes a high level of concern among the workshop participants and creates an understanding for the application of the classes in their own area.
With these steps, in principle, all important measures have been taken to bring the information classification into the minds of the employees. The biggest challenge, however, is to keep this knowledge present in the mind and to anchor it in everyday work! If you ask around from information security officers, it becomes clear that this does not succeed in most cases: Initially, employees classify the information and ensure that it is handled correctly, but within a few weeks it reverts to the old habits.
This is where information classification tools can help: Software tools from various providers are now available on the market that support the classification and identification of documents and e-mails directly during their creation. These are mostly plug-ins for the four main Microsoft Office applications: Word, Excel, Powerpoint and Outlook. Because Microsoft Office is de facto the standard application in most companies worldwide and thus represents a central element in information lifecycle management - a large part of the information is provided with Outlook e-mails, Word documents, Excel tables and Powerpoint presentations processed in companies.
The tools are integrated into the Office programs and thus enable a "guided" classification by the users and a constant reminder of their necessity. The easiest way to meet the three challenges already described is by using helpful tools
- Documents and emails classified as they are created,
- marked according to their class (e.g. as "confidential") and
- Depending on the classification, certain restrictions can or must be provided (e.g. forced encryption of "confidential" information).
Figure 3: Classification tools instruct employees to classify, label and handle information as soon as it is created (in the picture: Outlook plug-in from HvS-Consulting).
Even if Office plug-ins do not capture all of a company's information, experience with users shows that the continuous anchoring of the classification in everyday work also means that other types of documents (e.g. SAP reports or drawings) are usually actively classified and marked become.
The introduction of a functioning information classification in the company is a "hard nut" that can only be cracked by combining various measures. A mix of security awareness measures and workshops can convey the necessary knowledge and understanding, software tools can help to permanently anchor this knowledge in everyday life.
Frank von Stetten is the founder and board member of HvS-Consulting AG. Andreas Schnitzer is -27001-lead auditor and -25999-auditor as well as board member of HvS-Consulting AG ( www.hvs-consulting.de).
back to content
© SecuMedia-Verlags-GmbH, 55205 Ingelheim (DE),
tag: kes.info, 2007: lp: 2011-6-A
- Explain the Hall effect
- Why are companies interested in space mining?
- How does the COM interface from Microsoft
- What scares you more
- Which country has the highest conviction rate
- How is architecture at Gautam Buddha University
- How many Zelda games are there
- What types of background checks are there?
- Would Johnny Joestar be good at Beyblade
- Why are precious stocks falling
- A silicone roof coating is worthwhile
- To what extent is intelligence statistically hereditary
- Do animals have growth plates
- Why is penicillin not widely used these days?
- Can I get Hershey's chocolates in Hyderabad
- What career can we have after BBA
- What are some examples of plebiscite democracy
- Martin Luther King was a genius
- What should I call my kurtis business
- Are immigrants happier in western countries?
- What is BJT
- Are CSS modules the way forward?
- Anxiety can make you sleep more
- Will you die without water