Information classification: practical guidelines

Some information security standards or best practices require organizations to have an information asset classification policy. ISO27002 1 requires an information classification policy; The NIST has even published a FISP2 on the topic, PCI-DSS 3 doesn’t speak about it as it focuses on Credit Card information considered as sensitive information by default; and IT-Grundschutz4 require potential damage and protection requirements classification.

Goal

Even if some people will consider the need for compliance with security standard a sufficient reason, the real purpose of such policy is normally to differentiate valuable and critical information from other information in order to provide an appropriate level of protection and keep the residual risk low. Objectives of an information classification policy should likely be:

  • Simplification of risk assessment process
  • Proportionate cost of protection
  • Consistent and adequate protection of information throughout its lifecycle;
  • Fosters adequate behaviours when handling information, independently of its form.

The three first goals are common risk based security benefits. The fourth is more typical to information classification. As you define classification for information and assets, you put label on them informing users how valuable are the assets and how we are expected to behave with it. In behavioural terms, classification is the first step to a good conditioning. The label is the stimuli that shall trigger the appropriate behaviours.

However, as logical this may sound in theory, in real life, the goal does not seem so easy to achieve.

Common issues

Most government agencies, armies, financial institutions or large corporations have an information classification policy or an asset classification policy. A January 2008 report of the US Office of the Director of National Intelligence on information classification guidance 5 underlines several common issues encountered with information classification policies within US government agencies (mostly defence).

The report points out the “little insight into the reason for setting classification and limited guidance for discriminating between classification levels”. Also, operational difficulties are often observed has some rules or criteria are sometimes conflicting or, too often, not understood, leaving the user in an administrative nightmare leading to inadequate classification. This report also reminds the relationship between information sharing and information classification: sometimes the latter may be an obstacle to the first.

In an other report on US information classification, coming from the US Congress Congressional Research Service 6, the author highlight the growing cost of information classification and the downward trend of the number of declassification, resulting in a vexing cost for the government. Such a report showing issues with information classification inside a security minded community like the US defence agencies is likely to show only the tip of the iceberg of what less security culture prone organizations might face.

For what its worth, we made a list of common issues we encountered during our various assignments (in all kinds of organization like public, military, retail, finance or electronics)

  • Classification model does not fit the needs of the business (too complex, impossible to apply, not aligned);
  • Policies are not known or not well remembered;
  • Policies are not understood correctly (assets are over-classified or under-classified);
  • Reason of the existence of the policy is not understood and, consequently, motivation to apply is very low (even amongst the senior management sometimes);
  • Policies are not applied (security requirements are not met or applied, assets are not classified although the policy is known);
  • Assets’ classification does not reflect the real value or cost of damage of information but more the relative value compare to other assets (relative classification);
  • Number of exceptions to the security requirements is growing and this process is sometimes overwhelming;
  • Some risks are not covered by information classification model (compliance, fraud);
  • Information classification prevent or delay information circulation between people or entities needing this information (loss of performance);
  • Difference between different level of classification is difficult to understand;
  • Information is classified “forever” resulting in inadequate classification of information as the classification is not aligned anymore with the residual value of the information
  • Different entities sharing information don’t have compatible classification policy, jeopardizing information’s security throughout its lifecycle;
  • The scope is not well defined (too many or too few assets are classified)
  • Cost of over classification is not understood and information is systematically over classified because “you will never get fired because you were to cautious”

To change or not to change

When we notice dysfunction in a process, we ask ourselves: “should we change it?”. For sure, if it works, we don’t try to fix it. But if it doesn’t work, or, if it doesn’t work well, do we really have to change it (all)? Creating a new asset classification is one thing. Changing one is for sure another thing. If something doesn’t work you have to understand what is not working, figure out how to fix it and manage change to achieve this new desired state. It might cost a lot of time and money.

We won’t spend time on the choice of one specific model (The ROI7 model might not be as relevant as the ROSI8, even more if your security baseline is already providing a high level of protection) for the business case or on the parameters to take into account. Just remember that sometime, not fixing things may be the financially most interesting solution.

For the purpose of this article, we will suppose we have a business case and that the expected benefit will largely outweigh the expected costs (while keeping a large security margin in our estimates). We could probably use a lot of approaches to improve an existing asset classification policy. As usual, we prefer simple & pragmatic approaches.

Assessment

First, we try to understand why the organization want to change the policy (known issues), what are the goals and what are the expected benefits (it should have been made clear by the business case or at least the reflexion about the funding of the project). More precisely, we will try to answer the following questions:

  • What is going well with the policy? What are the benefits of the policy?
  • What are the known issues? What are the consequences of these issues?
  • What is unknown (grey areas, immeasurable results)?
  • What are the needs or requirements (legal, regulatory, business)?
  • What is the motivation (compliance, risk reduction, increased agility,…)?
  • Was there “famous” success inside the company?
  • Was there incidents? What were the causes and consequences?
  • When has the policy been originally created?
  • Who created the original policy, for what reason?
  • How was it supported by the management?
  • How was it perceived by the personnel?
  • How is it applied?
  • What are people remembering from the policy?
  • Do people understand the need for security and asset classification?
  • Which parts of the policy are applied correctly?
  • What were the expectations when drafting the first policy?
  • Did we already try to change it before? What was the result?
  • Why do we want to change it now? What did changed recently?
  • Who is happy with the policy at the moment?
  • Who is complaining about the policy?
  • How many exceptions are processed? What are the main reasons for exceptions?
  • What is the main goal of the organization? What are the constraints (like in Lean)?
  • What are the priorities of the organization (and also, more precisely, Sharing versus protecting information)?
  • What is the level of the organization security baseline?
  • What are the organization’s values?
  • Is there a risk management policy?
  • How are risks evaluated?
  • What is the risk appetite of the organization?
  • Who are the stakeholders (decision makers, influencers, beneficiary, and impacted entities)?
  • What are the deadlines?
  • What are the success criteria? Is there related KPI & KGI?
  • How will you see (practically, not through KPI) that the new policy works?

While gathering information to answer these questions, we will be able to construct a representation of what is going wrong and likely come to a good idea of what should be improved and how to improve it (with a little creativity)?

New model(s)

At some point, we will be able to draft propositions for one (or more) new model(s) that should fix the issues or at least greatly improve the situation, in theory.

In order to reach our goal (effectiveness and efficiency of asset classification), we will apply a few requirements or constraints to this new model and its related document:

  • You must KISSS (Keep it short, simple and sexy): People don’t have time to read through hundred of pages (it cost a lot of time to the organization), to make it simple, we must make our thought clear and making it sexy (using icons, brief sentences, images or whatever communication team uses to make their document appealing) will clearly help having the document read and applied.
  • It must make sense for everybody: Everybody doesn’t have a security or risk background. You cannot expect or assume that everybody has an understanding of the reasons why we do things like classifying assets. So , you must explain it so it can make sense to the reader (it will increase the engagement)
  • You must use the organization’s culture and the daily life of the reader to select your examples and explanations (it will be easier to memorize and it will make a long lasting impression)
  • You must use positive actions to describe what you expect from the reader. So, you must define what they have to do and not what they have to not do. We, humans, tend to have difficulties to process the negative form. If what you describe can be better achieved by a dead person, it is not a good expectation.
  • Highlight, as much as possible the important words: You see why, I guess. Select carefully which words you want to highlight as too many highlighted words will make the benefit of the highlight void.
  • Use name, label, levels that make sense, intuitively. When you use different level, it can help if we clearly understand which one is higher or more important. As an example, it should seem clear to everybody that TOP SECRET is above (top) SECRET. But what is higher: SECRET or CONFIDENTIAL?
  • As much as possible, use clear and discrete categories or at least, provide the necessary criteria that should allow anybody to consistently discriminate between two categories. As example, what will make the difference between to level of integrity (precisely, measurably and operationally)?
  • If you have different categories, each category should have matching security requirements. If the requirements are the same for two categories, do you really need the two categories or shouldn’t you add new security requirements?
  • Simplify and reduce processes and documents as much as possible. Having to open two different documents to get an answer is a waste of time if it has to be done repeatedly. Having one document on privacy and another on information classification can generate a lot of redundancy.
  • Be consistent throughout the document and all policies.
  • Give as much relevant information and insight, at least the “big picture”, within the first pages of the document so readers don’t have to go through the entire document to find answers. Put the most often needed information in the first pages.
  • Make responsibilities clear as well as chain of command and the processes to follow for common actions (new document, review, declassification, incidents,…)
  • Link, as much as possible, your categories (or levels) to the risk or the potential impact.

While drafting a new model, we don’t hesitate to go beyond the classical CIA triad (Confidentiality, Integrity and Availability).  Relevancy of additional dimensions must be investigated: Retention or archiving time (often based on regulatory requirements), restitution format, privacy or any other that can make sense in your business.

Also, we would suggest to use caveats to add a sense of need-to-know to the confidentiality classification (Like EMPLOYEES ONLY or  FINANCE RESTRICTED) or to add some flexibility to the model (like RESTRICTED WHEN FILLED or AVAILABILITY CRITICAL DURING MONTHLY FINANCIAL CLOSURE). Using caveats to define the target group for information (people having the need-to-know) is certainly the most meaningful approach. When you have a RESTRICTED, SECRET or CONFIDENTIAL document (whatever your naming convention is for a very sensitive document), knowing to whom it is restricted to will be more than useful.

Testing

While gathering our information for the assessment, we also build a list of business process owners. When we have a good model, we sit together with them and we test the new model on real data “from the field”.

First, we ask business owners to read the asset classification document and to explain what they have understood. We take note of their questions, comments and misunderstandings in order to improve our document.

Then we test the model on existing processes and on common flux of information, application and documents. We validate that assets are well classified and that matching security requirements9 will be proportionate to the risks

Of course, we don’t forget to asses the complexity of the process and the impact the new model would have on business units. Security policies, in general, should bring an added value and not an extra burden on the business. Security can also be a business enabler and brings value additionally to some peace of mind.

Improvement

Base on the test and discussions with the business owners, we may update the model and document (if necessary) in order to address any new issue discovered or to improve the usability of the document. We’ll do it more than once if necessary until we reach an acceptable level of understanding and acceptance of the model. Amongst the classic reviewers like legal or HR, the communication department might bring valuable insight or guidance on the tone of voice, the organization’s style and the format (remember the KISSS directive) as they are probably better at judging the simplicity and attractiveness of a document and models that you master (contrarily to your main audience)

Approval

We’ll arrive to the classic phase of having the new model approved by senior management. An executive summary and a very brief presentation of the changes and their motivation will help the senior management to understand the process leading to this new policy. Presenting the new policy to direct reports of senior managers prior to submitting it for approval will also likely facilitate the process as it will build the trust and the awareness on the new classification model.

Implementation

Once the document approved, the job is far to be finished. In fact, it is just the beginning and the easiest part is now over. It is likely that the changes we made to the classification model are relatively small hence significant. However, we must also adapt the organization’s processes and change people behaviours. Likely, we will, in fact, have to change people’s attitude and behaviours in such a way that they will start applying a policy they were previously ignoring.

Lead by example

“Be the change you want to see in the world”. This quote, sometimes attributed to Ghandi, is likely the first advice to follow when we want to change something in an organization. “Leading by example” should be more than a smart quote from expensive People Management training. The first person we need to educate about information classification is surely senior managers. We cannot assume they know how, what or why we do asset classification it is not their job. Their job is to make it applied by all their reports. If we fail showing senior managers the benefits of information classification, it is likely we will have huge difficulties to make it apply across the organization. If your boss doesn’t follow the rule, you will understand that the rule is not important and you will be less likely to follow the rule yourself. If he insist you follow the rule but he still doesn’t, we call that paradoxical communication (do what I say, not what I do) and it is the worse way to induce change.

So, if we want to have a return-on-investment on an asset classification model improvement, we need time with senior manager to show them the expected benefits and how it will work, to make them the first ambassadors of our new model.

Tone of voice

When we want to convince people of changing something in their life, we have to be convinced ourselves first. Consequently, we will likely use wording and tone showing we are convinced, raising the probability of being followed by our audience. We must speak in positive terms, consider people as intelligent and of good will (else we shall believe your organization must have a real recruitment issue). We keep in mind that we speak to responsible adults (We don’t patronize). We appeal to their inner sense of doing the things right. We also give as much freedom and responsibility as possible. We have to believe in their ability to do it right (if we don’t, we will create the condition for our failure).

Being pragmatic

We must keep it as simple as possible. There is (too) often too much bureaucracy slowing down the core business. If we classify documents, we prepare templates taking classification into account, where you just have to select the classification when creating the document. Same thing with be made for emails. We will display labels in sensitive applications, order stamp for paper documents, letters and folders.

In fact, based on the list of security requirements matching the new classification model, we will list all the necessary changes or supporting assets that will be needed. Here is a fairly comprehensive list (but unfortunately not yet exhaustive) of what should be taken into account:

  • safe, locks, secure cases,
  • shredders, demagnetizer
  • screen filters, secure room, signal jammers, secure phone
  • alarms, UPS, monitoring, IPS, IDS,
  • encryption software, secure USB storage,
  • Backup systems, external hard drives
  • Logical access approval process, change management, asset management
  • NDA, standard contracts, standard RFP
  • Labels, stamps, envelopes
  • Templates
  • Emergency Response procedure, Incident management, BCP, DRP
  • Double encoding process
  • Remote whipping
  • Awareness material, training sessions
  • Central database of asset’s classification and owners

Measurement

As always, we will not have a managed security if we don’t measure our successes or failures. Directly or indirectly , we will monitor the effect of the new policy: Incident rates and costs, awareness campaign results (through questionnaires),  number of classified assets, audits, tests. As much different indicators you have, the more accurate the measure will likely be.

That’s all folks!

Footnotes:

1 International Standard Organisation, Standard 27002 (version of 2005): “Information technology – Security techniques – Code of practice for information security management“ – [http://www.iso.org]

2 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 199: “Standards for Security Categorization of Federal Information and Information Systems” [http://csrc.nist.gov/]

3 Data Security Standard from the Payment Card Industry [https://www.pcisecuritystandards.org/security_standards/]

4  Best practices from German Information Security Agency (BSI Standard 100-1) – [https://www.bsi.bund.de/]

5 Office of the Director of National Intelligence “Intelligence Community Classification guidance: Findings and recommendation report“ [http://www.fas.org/sgp/othergov/intel/class.pdf]

6 US Congress Congressional Research Services report for Congress: “Security Classified and Controlled Information: History, Status, and Emerging Management Issues’ [http://www.fas.org/sgp/crs/secrecy/RL33494.pdf]

7 Return on Investment

8 Return on Security Investment

9 If security requirements are not yet defined, we can just compare the assets (documents, applications, systems) between them and see if the same kind of controls will make sense on the group of assets created by the classification

 

 

 

 

Information classification for dummies

Most companies serious about security have an information classification policy. Too often, this policy has been drafted based on common practice and don’t bring an added value to the business nor did it fit to the business reality. In fact, too often, security people don’t even understand what is the real purpose of classifying information and so, their users neither understand why they should classify information. When people don’t understand the meaning of an action, except if they have been well conditionned, it is likely they won’t repeat the action. As a consequence in this case, information classification policies are often not used or at best, badly applied.

Whatever you do in information security, it must have a meaning and even more, it must have an added value. The main purpose of classification is to foster adequate behaviour with information. If you want to change behaviour and even more if you want them to be appropriate, you better give a good understanding of the reason why you do things.

So here are two little examples that will make your users understand the rationale behind information classification. You can easily put images together with it or use it to make a story for a presentation.

First example

Let start with a non informational asset as it might be easier to understand the rationale.

Imagine you are moving to a new house and you prepare your boxes (It has most likely already happen to you).

 In your belongings (that we call Assets), there is a beautiful vase you received from your mother (or step-mother) at your wedding. Although the monetary value of the vase is high (Financial risk), it is mostly to avoid conflict with your (step-)mother (Reputational risk) that you don’t want it to break in pieces during transport (threat).

Your risk of loosing the vase integrity = probability of breaking it during the move (Highly probable) x the number of time you will likely hear your (step-)mother remind you you broke her beautiful gift (likely a high cost for your nerves, your self-esteem and your relationship). High probability multiply by a high impact (we call that a High risk), you will probably decide to put the vase alone in a box with a lot of bubble plastic and process the box with extra care.

Unfortunately, box movers are not famous for their carefulness with boxes and you won’t have time to watch the box during the entire day to prevent an incident (we call that mitigate the risk). So, you decide to warn the movers or any friend coming to help that the box contains a precious good.

You put a nice label on the package (FRAGILE) to inform people that the content of the box requires careful handling (we call that Classification) and expect that movers will behave accordingly…

 That’s exactly what we do with information and our Asset Classification and we also expect you will behave like our cautious and devoted box movers.

Another example

Let’s take another example, involving information and talk about your salary.

Your monthly salary is information. It is mentioned in your employment contract, on your monthly pay sheet, in the financial system and probably in your head if you know it by heart. You might have thought about it or not but this particular information is facing a number of threats. We can divide these threats in 3 main categories that we will call Confidentiality, Integrity and Availability.

The first type of threat only exists if you don’t want to share your salary with the rest of the world. Maybe did you put it on your LinkedIn profile or even on your Facebook personal details? It’s more likely you don’t want to share this information with everybody (like your colleagues, your neighbour, your ex-wife, any door-to-door salesman or any thief that would become more interested in your house). Nevertheless, disclosing this information to someone you don’t want to share it with might have a different impact depending of the circumstances (in some country, being wealthy increase the risk of having your relatives kidnapped).

Depending of the impact of unwanted disclosure for you, you will process this information with care or not. Let’s assume it is of a medium importance for you, you will probably put your pay sheet in your case or your bag and not leave it opens on your desk. You may even put the words “personal and confidential” on the envelope to ensure nobody dares to open it without asking you. Well, you just classify your salary in the Confidentiality dimension.

The second threat, Integrity, might have a greater impact on you, good or bad. Imagine someone succeed to change it (multiplying it by ten or dividing it by ten). In one case you might be quite happy, in the latter, quite annoyed. The impact of loosing what we call the integrity of that information might be quite high. You presume your employer will ensure the value remain the one you agreed with him (throughout the payment systems, employment contract and so on). Doing so, you classify your salary as information with a high Integrity requirement.

The latest threat to this information is its unavailability. Most of the time, you don’t care about your salary (The information, you are probably more interested in one of its consequence: the amount on your bank account). Nevertheless, a few days before you received the payment of this salary, this information is mandatory. If, by any chance, the system was not able to provide the information on that day, you would maybe be stressed. Should the company take 6 months to restore the system and pay your salary, you would likely be more than upset. You will then likely agree that this information’s availability is important for you and you might likely be able to define the number of days you could wait before it cause you huge financial problems. That’s exactly the purpose of classifying the information’s availability.

You now understand why we classify information: to create adequate protection behaviours to the information handler by communicating the impact of some type of incidents. The final goal being lowering risks to an acceptable and sustainable level. For instance, when we classify information to the level of confidentiality Confidential, we want you to understand that if someone unauthorized has access to this information, it might cost us a lot of money or severely damage our reputation.