Monthly Archives: June 2013

Information classification for dummies

Most companies serious about security have an information classification policy. Too often, this policy has been drafted based on common practice and don’t bring an added value to the business nor did it fit to the business reality. In fact, too often, security people don’t even understand what is the real purpose of classifying information and so, their users neither understand why they should classify information. When people don’t understand the meaning of an action, except if they have been well conditionned, it is likely they won’t repeat the action. As a consequence in this case, information classification policies are often not used or at best, badly applied.

Whatever you do in information security, it must have a meaning and even more, it must have an added value. The main purpose of classification is to foster adequate behaviour with information. If you want to change behaviour and even more if you want them to be appropriate, you better give a good understanding of the reason why you do things.

So here are two little examples that will make your users understand the rationale behind information classification. You can easily put images together with it or use it to make a story for a presentation.

First example

Let start with a non informational asset as it might be easier to understand the rationale.

Imagine you are moving to a new house and you prepare your boxes (It has most likely already happen to you).

 In your belongings (that we call Assets), there is a beautiful vase you received from your mother (or step-mother) at your wedding. Although the monetary value of the vase is high (Financial risk), it is mostly to avoid conflict with your (step-)mother (Reputational risk) that you don’t want it to break in pieces during transport (threat).

Your risk of loosing the vase integrity = probability of breaking it during the move (Highly probable) x the number of time you will likely hear your (step-)mother remind you you broke her beautiful gift (likely a high cost for your nerves, your self-esteem and your relationship). High probability multiply by a high impact (we call that a High risk), you will probably decide to put the vase alone in a box with a lot of bubble plastic and process the box with extra care.

Unfortunately, box movers are not famous for their carefulness with boxes and you won’t have time to watch the box during the entire day to prevent an incident (we call that mitigate the risk). So, you decide to warn the movers or any friend coming to help that the box contains a precious good.

You put a nice label on the package (FRAGILE) to inform people that the content of the box requires careful handling (we call that Classification) and expect that movers will behave accordingly…

 That’s exactly what we do with information and our Asset Classification and we also expect you will behave like our cautious and devoted box movers.

Another example

Let’s take another example, involving information and talk about your salary.

Your monthly salary is information. It is mentioned in your employment contract, on your monthly pay sheet, in the financial system and probably in your head if you know it by heart. You might have thought about it or not but this particular information is facing a number of threats. We can divide these threats in 3 main categories that we will call Confidentiality, Integrity and Availability.

The first type of threat only exists if you don’t want to share your salary with the rest of the world. Maybe did you put it on your LinkedIn profile or even on your Facebook personal details? It’s more likely you don’t want to share this information with everybody (like your colleagues, your neighbour, your ex-wife, any door-to-door salesman or any thief that would become more interested in your house). Nevertheless, disclosing this information to someone you don’t want to share it with might have a different impact depending of the circumstances (in some country, being wealthy increase the risk of having your relatives kidnapped).

Depending of the impact of unwanted disclosure for you, you will process this information with care or not. Let’s assume it is of a medium importance for you, you will probably put your pay sheet in your case or your bag and not leave it opens on your desk. You may even put the words “personal and confidential” on the envelope to ensure nobody dares to open it without asking you. Well, you just classify your salary in the Confidentiality dimension.

The second threat, Integrity, might have a greater impact on you, good or bad. Imagine someone succeed to change it (multiplying it by ten or dividing it by ten). In one case you might be quite happy, in the latter, quite annoyed. The impact of loosing what we call the integrity of that information might be quite high. You presume your employer will ensure the value remain the one you agreed with him (throughout the payment systems, employment contract and so on). Doing so, you classify your salary as information with a high Integrity requirement.

The latest threat to this information is its unavailability. Most of the time, you don’t care about your salary (The information, you are probably more interested in one of its consequence: the amount on your bank account). Nevertheless, a few days before you received the payment of this salary, this information is mandatory. If, by any chance, the system was not able to provide the information on that day, you would maybe be stressed. Should the company take 6 months to restore the system and pay your salary, you would likely be more than upset. You will then likely agree that this information’s availability is important for you and you might likely be able to define the number of days you could wait before it cause you huge financial problems. That’s exactly the purpose of classifying the information’s availability.

You now understand why we classify information: to create adequate protection behaviours to the information handler by communicating the impact of some type of incidents. The final goal being lowering risks to an acceptable and sustainable level. For instance, when we classify information to the level of confidentiality Confidential, we want you to understand that if someone unauthorized has access to this information, it might cost us a lot of money or severely damage our reputation.