“We’ve had a classification policy for 30 years, but we’ve never been able to enforce it.”
Does this quote sound familiar to you? It’s very common for organizations, especially in the commercial space, to have a classification policy but no way to implement it. Instead, organizations often move directly to the data protection stage, investing in large infrastructure projects such as DLP and IRM. But without classification as the foundation of their information protection strategy, it’s impossible for organizations to know what to protect.
Fortunately, implementing a classification policy is actually quite simple. Based on our experience in helping hundreds of organizations, here are our five recommended steps for implementing a classification policy:
1. Create a simple information classification policy
Whether your organization already has a classification policy, or is just defining one now, it’s best to start simple. Many organizations use three categories:
- A category such as “Public” to indicate non-sensitive information
- An “Internal” category for information that should stay within the organization
- A category such as “Confidential” or “Restricted” for information that is particularly sensitive
2. Enable classification in current desktop tools
The easiest way to get users to classify their email and documents is to make classification part of the user’s workflow. So when a user sends an email, or saves a document, you can prompt them to classify. By integrating the classification process into the desktop application, the classification process is simple and intuitive to the user.
TITUS offers a range of classification solutions for desktop applications, including Microsoft Outlook, Microsoft Office, Windows Explorer, and Lotus Notes. TITUS classification solutions are client-based, so they are require no server and are easily deployed. The software can be rolled out overnight or on a weekend, with users logging in the next morning to find a new classification interface in their already familiar desktop products.
3. Create and deploy a common configuration
Your next step is to define a common configuration across your user community. Here are some areas you will configure:
- The names of your classification labels/categories
- Whether you want to force users to classify or provide defaults
- Whether visual labels will be displayed in the emails / documents
At this stage in your deployment, it’s best to keep the configuration as simple as possible. You can add additional policies and options in the coming weeks and months, as users become used to the classification process. Doing it this way reduces the amount of testing and training required for a successful rollout.
4. Get the users involved – Start classifying and adding metadata
After you deploy the classification software and the associated configuration, users will have a new classification interface in their desktop applications. This interface will let them identify the sensitivity of their information, helping to share the responsibility of corporate security across the organization, rather than simply relying on the IT department to identify and protect the information.
Many organizations choose to prompt their users to classify every email and document. This causes users to stop and think about the sensitivity of the content, which fosters a culture of awareness and engages users in the organization’s information security strategy.
5. Evolve information controls over time
With your users now classifying their email and documents, you are ready to start enforcing policy based on those classifications. You have several options for leveraging the classifications for policy enforcement:
- Take advantage of policy enforcement within the classification software itself. As an example, TITUS Message Classification for Outlook can warn users when sending internal email to external email addresses. This type of policy enforcement is very effective because it prevents data leaks before the information leaves the desktop, and provides targeted security education to the user.
- Automatically apply information rights management and encryption. By using classification as a front-end to encryption and IRM solutions, organizations can automatically apply encryption, digitally signatures, or rights protection based on the classification. Users do not need to understand the encryption or IRM technology; they simply select a classification and the appropriate protection is applied transparently.
- Leverage classification metadata with downstream solutions. Other technology solutions can make use of the classification metadata that is created when users classify a document or email. For example, a DLP solution can read the metadata on a document to determine if a user should be allowed to copy the data to a USB drive. A records management system can use the metadata to determine where to store a document and how long to retain it. And a perimeter security solution can read the metadata on an email to determine if it should be encrypted at the gateway.
The Foundation of an Effective Information Protection Strategy
By following these five steps to implementing a classification policy, you will have established the foundation of an effective information protection strategy. Your users will become critical partners in identifying and protecting your organization’s valuable information assets, all for the investment of one simple click.
Over the coming weeks, we’ll publish a white paper and a series of blog articles that dig deeper each of these steps. What is your experience with implementing a classification policy? Join the discussion and leave a comment or email me at firstname.lastname@example.org.