In my previous blog post, 5 Easy Steps for Implementing a Classification Policy, I discussed the importance of starting with a simple set of classification labels. In this post, I will expand on the topic of classification schemes, especially as they apply to commercial organizations.
At TITUS, we recommend that organizations try to keep the number of classification options down to four or fewer. We find that the simpler your classification scheme, the easier it will be for users to decide which category to use. Later, as your users become used to classifying content, you can add additional categories.
Many organizations use three categories:
1) A category such as “Public” to indicate non-sensitive information
2) An “Internal” category for information that should stay within the organization
3) A category such as “Confidential” or “Restricted” for information that is particularly sensitive
Surprisingly, the “Public” category is often what causes the most debate in commercial organizations. It can be difficult to define exactly what Public means. Some information is obviously public, such as public press releases or marketing collateral. But what about day-to-day correspondence with partners and customers? Or personal emails that employees send to friends or family?
Organizations frequently struggle with how to categorize this type of information. To address this challenge, the following options may be debated:
1) Create a “blank” or “No Label” category. This allows users to opt out of classifying data that doesn’t fit the existing categories. The danger with this approach is fairly obvious: it undermines your original goal of using classification to prevent data loss. Users may start selecting this option almost by default, because it is easier than thinking through the appropriate classification choice for their information.
2) Use the “Public” category but turn off visual markings. With this option, no visual markings (such as “Classification: Public”) are added to the header, footer, watermark, or subject line of the email or document, even though the document is still classified as “Public”. This approach can be beneficial when working with partners and customers who may not want to see the word “Public” on their correspondence with your organization. However, visual markings are a key part of educating your employees on the importance of classification, especially in the early stages of your classification program.
3) Use a different label name to represent “Public”. Your organization may want to follow the example of military and government organizations, which typically use a category called “Unclassified” or “Not Protectively Marked” for their less sensitive information. The challenge with this approach is that recipients may not be familiar with these label names (although it’s possible to include an explanation below the visual marking in the email or document).
4) Create a “Personal” category for non-work-related correspondence. It’s a business reality that users send the occasional personal email from their work account. Because of this, some organizations may want to add a “Personal” label to their list of classification options. The disadvantage of this approach is that “Personal” can be interpreted as “Personally Identifiable Information (PII)”. Users may mislabel PII data as “Personal”, leading to a potential data breach.
5) Create an extra category for less sensitive information. Some organizations create a label specifically for information that can be released outside the company, but is still sensitive. This label might be called “Sensitive” or “Commercial-in-Confidence”. This approach relies on users to differentiate “Sensitive” from “Confidential”, which can cause confusion and inaccurate labeling.
At TITUS, our recommendation is to use a “Public” label, and apply visual markings to “Public” email and documents. This reinforces the corporate goal of raising security awareness and identifying information sensitivity. Once users gain experience in classifying their data, you can reassess the “Public” label and consider some of the options above.
The creation of the rest of the classification scheme should be fairly straightforward. At this stage in the classification program, there should be only two or three additional categories. Here are some typical examples:
- Confidential, Secret
- Internal, Confidential
- Internal, Confidential, Highly Confidential
- Internal, Confidential, Strictly Confidential
- Internal Use Only, Restricted, Restricted Confidential
Later, you may want to add a second classification level to address specific data protection needs. Here are some examples:
- Compliancy: PCI DSS, HIPAA/HITECH, GLBA, CMR 201, ISO 27001, PIPEDA, EU Directive 95/46/EC, etc.
- Information Privacy: Personally Identifiable Information (PII), Protected Health Information (PHI)
- Intellectual Property: Copyright, Trade Secret, Patent Application Document, Patent Supporting Document, Not IP
- Export Compliancy: ITAR, EAR
- Department: Legal, Human Resources, Finance, Engineering, Sales, etc.
- Project: Codenames for new products and other projects
- Legal/Discoverability: Privileged, Hold
- Retention: Retention Period and/or Retention Start Date
Organizations are often tempted to add these labels to the initial classification policy rollout. However, adding more labels at this point will increase internal debate, slow down the implementation, and possibly lead to a classification scheme that is overly complex or restrictive. Your goal is to get users to start classifying now, rather than developing a classification scheme that is perfect in theory, but never put into practice. That’s why it’s best to start with a simple classification scheme, which your organization can tailor over time as users gain more classification experience.
Have you implemented a classification policy in your organization? What are your recommendations for a practical and effective classification scheme? Please contact me at firstname.lastname@example.org, or leave a comment below.