Information classification
The information assets of an organization must be protected from damage and loss. The need for security measures differs for different types of information. The need for protection is governed, among other things, by internal and external requirements and by the consequences for the organization and its partners if the information is disseminated to unauthorized persons or if it is changed or made unavailable.
Information classification
To do this efficiently, we can classify the information according to its vulnerability from various security aspects. The information that is most important and whose loss or damage would have the greatest consequences must have the strongest protection. Information assets that are less important and not particularly vulnerable may have simpler and less expensive protection or may even be unprotected.
Security aspects
The need for security measures for various information assets is considered based on a number of different security aspects.
Four basic security aspects:
Confidentiality: The content must not be disclosed or made available to unauthorized persons
Integrity: The information must not be changed other than for the intended purpose by authorized personnel. Information must not be changed by unauthorized persons or due to mistake or malfunction.
Availability: The information must be usable to the expected extent and within a reasonable time.
Traceability: Information and information changes must be traceable.
Consequence levels
Based on each of these security aspects, each information asset is evaluated according to the consequences that inadequate protection could have. What happens, for example, if a certain type of information were to be disclosed to unauthorized persons. How serious would it be on a scale? Or how serious it is if an information resource cannot be accessed within a certain time period. How big would the consequences be?
A scale with three different levels of consequence or levels of protection would generally look like the below:
Moderate consequences: Reduction in the ability to solve tasks. Less damage to assets. Minor financial losses. Limited negative impact on individual rights.
Significant consequences: Significant reduction in the ability to solve tasks. Significant damage to the business's assets. Significant financial losses. Significant negative impact on individual rights.
Serious consequences: Severe limitation in the ability to solve tasks. Extensive damage to the business's assets. Large financial losses. Serious negative impact on individual rights.
The classification according to above determines the type of protection that should be given to the respective information asset.
Alternatively, a simpler classification can be made with two different levels of consequence, for example moderate and serious consequences. One can also have a class called zero (0), no or negligible consequences.
Classification model in matrix form
Based on the different security aspects confidentiality, integrity, availability and traceability and the different impact levels moderate, significant and serious, a matrix can be made with the security aspects on the horizontal x-axis and the impact levels on the vertical y-axis. Then you get a grid pattern with different boxes where each information asset to be classified is placed in the box that should apply to the information.
If, for example, the organization suffers serious damage from important information becoming available to unauthorized persons, the information must be placed in a class (box in the matrix) with a high level of consequence in terms of confidentiality.
Risk analysis
When you divide information damage or losses into consequence levels, you essentially look at the consequences that can arise from a damage. When you then have to decide what protection certain information should have, you must also introduce a risk analysis that takes into account the probability of an injury occurring.
Update
Just as in all other security work, it is important to keep information classification constantly up to date. New information and new priorities must be placed and updated at the right level of consequence for the various security aspects.