Information Classification – The Link between Security and Privacy

Most of the attention focused on information security today surrounds the public data breach. Almost daily we hear a new report about hundreds or thousands of records of personal information being improperly disclosed.  In fact, it is the loss of private data that drives most of the regulatory environment designed to enforce security.  GLBA, HIPAA at the national level, as well as dozens of state laws including CA SB 1386 and  MA 201 CMR Part 17.  Certainly, any organization that is concerned with information security must be concerned about data privacy.

So how does information security enforce privacy?  Essentially, the idea is to make sure that private customer information is protected from improper disclosure.  In healthcare, for example, protecting individual electronic personal health information (ePHI)  is the focus of the both HIPAA and the extension of HiTECH.  Within PCI-DSS, the credit card number and individual information is the focus of the protective controls.

So how does this translate into an information security program?  In practical terms, the enforcement of customer privacy requires two key ideas:  First, that the organization identify and classify all of the private data it possesses, and second, that the security program implements the highest level of protection for this sensitive data.   This link is created within the Information Classification Policy.

Information Classification – or more accurately – Information Sensitivity Classification is the process of dividing data into different categories based on the need for confidentiality.

Usually, this is done using three or four categories.   A common three-category scheme divides up the information like this:  PUBLIC – Information that is not sensitive to the organization and can be viewed by anyone.  INTERNAL — USE ONLY (Private) – Information that should only be seen by people inside of the organization, and CONFIDENTIAL – Access to this information must be tightly restricted based on the concept of need to know. Information that should only be accessed by a limited group of individuals and would cause harm of the organization if released.  The famous  label “TOP SECRET” was often used by the government to indicate that information may involve national security.

The idea is simple in principle.  Apply more protection to the most sensitive data.  Apply less protection to the least sensitive data.  In practice, the idea can be very difficult to implement.  Information classification requires a well-crafted set of information security policies that enable the organization to identify and label the information, and then maintain these sensitivity labels as the data moves around the organization.  With so much data in so many different places, this can be quite a challenge.

In working with many organization developing information security policies, perhaps the biggest mistake we see is the failure to track and properly classify sensitive customer data.  An organization may have a highly sophisticated information security program, using the latest technical wizardry such as firewalls with intrusion prevention.   But if the organization cannot identify which data needs to be protected, all of the technical controls may be meaningless.

Security Policy Tip: So the take-away is this:  If you go through the trouble of developing and implementing information security policies, make sure you remember the important link between privacy and information security – the information classification.

For organizations that need to develop a comprehensive Information Classification Policy, Information Security Policies Made Easy contains examples of two, three, four and five-category information classification schemes, as well as 1500 other sample information security policies.