Classification and marking scheme for sensitive information

Managing the classification and traceability of information guarantees the confidentiality, integrity and availability of sensitive information.

The objective of a basis information classification is to help you to distinguish information, raise awareness, avoid confusion and misunderstanding. A basis information classification will allow you do adapt security measures based on the type of information.

You should categorize information, for example public information on website, confidential internal usage information and personal related information. If you communicate this categorization with your employees, it will tremendously help you in creating awareness, avoiding confusion and misunderstanding. The classification should be used to link certain security measures to types of information, like locking doors or encrypting a document.

In practice, the classification consists of two stages: first, a general classification framework is created, with structured categories; and then the level of security desired per data category is defined.

Asking the basic questions can help you getting started with data classiciation:

  •     What are my data types?

                        Is my data in a structured database or mostly unstructured?

  •     Where is my sensitive data?

                        Is it centralized?

                        Is it despersed in Email, Fileshares, Spreadsheets,...

  •     What are the required classification levels?

                        At the very least,  identify public, internal, confidential and privacy-related data

  •  Who can / should access each class of data?
  •  How do I protect my data and what is the impact of it is leaked?

                        Can we protect classified data properly?

 

TASK

Have a minimal information classification policy and distribute it to all collaborators. The document should at least distinguish information between ‘public’ and ‘private/internal’ equivalent

The document should at least distinguish information between ‘public’ and ‘private/internal’ equivalent