1 Introduction
The ISO 27001 Information Security standard, defines the need for Data Classification, and in most organizations that have a documented Information Security policy, there will be section on Data Classification.
Data Classification is an important step to building a secure organization. Classifying data is the process of categorizing information assets based on its sensitivity (e.g. applicable laws and regulations).
A typical example is that of the Traffic Light Protocol (TLP) as used by the US-CERT and many other organizations.
| Colour | Example Text | When should it be used? | How may it be shared? |
|---|---|---|---|
| RED | < Company > Top Secret | Personal for named recipients only | RED information is limited to those present at the meeting. In most circumstances, RED information will be passed verbally or in person. |
| AMBER | < Company > Restricted | Limited distribution | AMBER information with others within their organization, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing. |
| GREEN | < Company > Internal Use Only | Community wide | Green information can be circulated widely within a particular community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community. |
| WHITE | Unmarked or < company > Public | Public or Unlimited | Subject to standard copyright rules, WHITE information may be distributed freely, without restriction. |
Source: https://en.wikipedia.org/wiki/Traffic_Light_Protocol or https://www.us-cert.gov/tlp
Documents that are classified can then be handled appropriately and extending that classification to the data meta-tags allows systems, file-stores, e-mail systems and cloud gateways etc. to use appropriate tools to enforce company policy on data handling, storage and transfer.
Examples of data that should be classified and appropriately protected include:
- Payment Card Industry (PCI) Data
- Data liable to the US Sarbanes–Oxley Act (SOX)
- Data liable to mandatory data breach reporting
- Personal Information (PI) and Sensitive Personal Information (SPI) as defined by Data Protection legislation and from 25th May 2018 the common EU-wide GDPR.
- Pre-patent information
- Proprietary corporate information
- Designs, drawings etc. that are subject to Intellectual Property Rights (IPR)
- Information that is share price sensitive
- Data subject to ITAR (International Traffic in Arms Regulations)
When it comes to developing a Data Classification system, one size does not fit all, and it’s not something you can buy a box “off-the-shelf”; neither is Data Classification automated (by default) into any of the standard tools in regular office use within companies today.
The Boldon James Data Classification suite is a set of tools covering a wide range of popular Operating Systems and Applications that can be tailored to allow an organization to quickly and simply classify their information in a way that is consistent with their company data classification standard, corporate ethos and ways of working.
