Last week, the lead whitepaper in TechTarget’s Daily Top 5 was titled, How to Tackle Information Classification – published by the Jericho Forum. Naturally, I was interested to see what it had to say and eagerly downloaded it only to find that it was originally published in January 2009 – almost 5 years ago. Despite its age, the whitepaper is a solid introduction to information classification, the benefits and the challenges. In particular, it provides confirmation that classification is the lynchpin to successful security in a “de-perimeterised environment.” But there were a few areas where it was a bit, shall we say, “stale.” The Jericho Forum whitepaper identified some problems which, in the years since it was published, have been successfully addressed.
Let’s look at the three main problems areas that the Jericho Forum whitepaper identified:
- classification is complicated and requires special training,
- classification is not consistent if it is the responsibility of too many, and
- classification must be automated to ensure that all files are classified.
Today, classification does not require specialists. While compliance, security, business and policy specialists are needed to craft the classification schema and handling rules, any user can classify. Classification tools are built into the users’ desktop and popular applications, like Microsoft Office or Outlook. TITUS products, for example, integrate classification right into the Microsoft Office HOME toolbar, alongside the other most used features, enabling users to easily select the classification level for the document or email they are working on. From a desktop or Windows Explorer view, users can simply right-click on a file to find that classification options have been added to the standard right-click menu. In other words, there are no separate applications or alien interfaces that users have to learn. They are simply presented with new options within their familiar operating environment.
The next issue brought up by the Jericho Forum whitepaper is the difficulty in getting users to know how to classify consistently and in accordance with policy. The whitepaper points out that the value of a document may vary from department to department, user to user, and through time as it is modified. Also, employees are not always aware of the bigger picture and how the loss of information they create and use could have negative effects. As a result, it is often difficult for users to know the real value of the data to the overall organization, so the user does not apply the appropriate classification. On the other side of that coin, users that are given the ability to classify become nervous they may tend to over-classify. It is for both of these reasons that TITUS has designed a user interface that is easy to use and informative.
As the user is presented with classification option, TITUS tool tips provide information about each possible choice to guide them to the right one. If the user needs more information, every TITUS menu or pop-up window has a help button. Since each organization will have different classification thresholds for applying specific classifications, the help file is completely customizable to provide clear and precise instructions. With proper guidance in place, users will be empowered to assign the appropriate value to the information they are creating or updating.
Finally, the Jericho whitepaper advocates for automation since, in 2009, classification was more difficult and usually the task of a select group. However, automation has problems as well. In the years since 2009, automation has been tried extensively, although classification was simply lumped into DLP discovery tools. While I agree that automation is essential, I am particular about how and where it is applied. We have learned that bulk classification systems and DLP systems fail to reach the required levels of accuracy when examining the content of data, creating too many false positives and false negatives. In light of automation’s failure, the need for classification has really started to crystalize into a unique discipline of its own.
Users must be involved in the classification process. Of course, the Jericho Forum is correct when they state that users make mistakes and I must confess that they will, even with readily available help tools. It is for this reason that TITUS uses automation to guide and enhance user classification.
TITUS can be configured to work differently for different users and groups. In other words, some users may find that all of their files are automatically given a default classification. More dynamically, a different group may find that TITUS has reviewed the file and suggests to the user a classification based on the content. In either case, the user can always be given the choice to change the classification if the automated classification was not accurate.
It is interesting to see how far classification has come in a short time. And TITUS continues to innovate, simplifying and streamlining user obligations to classify with intelligent automation and policy enforcement.