“Traditional Information classification is characterised by the ‘Top Secret’ rubber stamp in James Bond films,” says Nick Frost, the report’s author and senior research consultant at the ISF. “Today, information exists in many different forms, from paper documents and verbal communications to the masses of electronic data stored, transmitted and processed. While introducing an effective enterprise wide scheme is daunting, organisations can no longer afford to ignore its importance if further embarrassing data loses are to be avoided.”
Information classification requires a consistent process to determine the level of confidentiality of a piece of information; the development of techniques for communicating the level of classification; and the practical implementation of measures to protect information accordingly.
But the benefits of successful Information Classification are considerable according to the ISF report. By ensuring that information is adequately protected, good information classification helps to prevent over- or under-engineering of controls, so reducing potential operational overspend and unnecessary drains on resources. Information Classification can also help to enforce better access control policies and be used to demonstrate compliance for legislation such as Data Protection and Privacy along with regulations including HIPAA and Gramm-Leach Bliley.
The report highlights that to achieve these levels of success requires participation across an organisation from HR and Legal to IT and Audit, along with Board level support. “Having senior managers with a shared strategic vision and understanding of information classification and the value it can deliver is critical to overcome budgetary and organisational issues,” says the ISF’s Nick Frost: “It is also vital to run a successful pilot project to show a ‘quick win’ to demonstrate the benefits.”