The Main Thing you need to know about information classification is that the concept is well understood, but the application is not.

All too often, we see IT security staff categorizing information with "public, internal, restricted, and secret" labels which provide very little in the way of describing to end users what they are supposed to do with information labeled as such. Worse yet, most of these classification practices only deal with the confidentiality of information and either partially or completely ignore guidelines surrounding the integrity of the information or the availability of the information. And yet, laws such as Sarbanes Oxley and international privacy laws ask us to provide guidance for the integrity of the information that falls under their jurisdiction and categorization. US laws provide governmental guidance through documents like NISPOM, ITAR, and EAR which are very strict about not only the confidentiality, but the availability (or non-availability) of the information in their classifications. The Payment Card Industry mandates protective measures for confidentiality, integrity, and availability for information that would be classified under their jurisdiction.

The reason for information categorization is to provide guidance to those who will first identify and then protect the confidentiality, integrity, and availability of that information.

In order to properly roll out an information categorization program, you will need to accomplish three goals.

• • Develop a general understanding of how the various authority documents define the various types of information and describe information categorization.

  • Understand, and internalize, who should use information classification, how they should use it, and when they should use it.

  • Roll out a basic information categorization program that links to your compliance control framework.

As always, the material in the UCF is harmonized across all authority documents we are currently working with.