What is information classification according to ISO 27001?
Information classification is essential in the face of cyber threats if you want to know how to protect specific data and prevent security incidents in your organization.
ISO 27001 Information classification is the process of dividing information into relevant categories. In a company, for example, financial files should not be mixed with files from the marketing department. Instead, they should be kept separately and accessible only to the relevant people who are authorized and empowered to do so. In this way, the stored information is secure and can also be retrieved more quickly when needed.
Information classification is a procedure by which organizations evaluate the data (internal and external) they have and the level of protection it should receive. So it's not a good idea for the marketing team to quickly put some sensitive financials in an article for the NY Times because they want to brag about what their company has accomplished. The tax accountant will be particularly pleased and throw in some Xanax first. Actually, the marketing team doesn't really care about how the company's finances are doing, the main thing is that the budget is right. Enjoying life to the fullest in the coolest department. By the way, these are just rumors!
How data is categorized depends on the industry and the type of data the organization collects, stores, uses, processes, and transmits. For healthcare and healthcare-related organizations, this would be patient names, dates of birth, social security numbers, medical records and histories, or prescription information. For financial service providers, it could be PINs, payment histories, credit scores, or credit information.
Regardless of the type of data, consider the following when classifying data:
What data does my company collect from customers and vendors?
What data is my company creating?
How sensitive is this data?
Who needs access to what data?
Depending on how sensitively certain data is to be handled, different levels of secrecy are required. These determine who has access to this data and how long the data must also be retained.
Let's stay with the healthcare industry for a second. Doctors need access to patients' personal data, including their medical history, which is already very sensitive.
However, doctors (especially in a hospital) should not have access to other sensitive data, such as financial data.
In these cases, a separate classification should be created to distinguish between sensitive medical data and sensitive administrative data. Of course, this excludes a traditional dental practice, for example. Nevertheless, there are also guidelines for the protection of patients, medical, as well as the necessary data for the invoice to the private patients! Therefore, our tip: Brush your teeth at least twice a day! Peppermint is a good choice. Save money!
Back to the topic:
There are usually four classifications for data: public, internal use only, confidential and restricted.
Confidential (only senior employees have access)
Restricted (most employees have access)
Internal (all employees have access)
Public (everyone has access)
Confidential data
Access to confidential data requires special authorization/release. Confidential data is usually protected by the ISO 27001 standard, for example.
Restricted data
If this data is compromised or accessed without authorization, it can lead to criminal charges and heavy fines. Not to mention the irreparable harm to the company. Examples include proprietary information or research results, as well as data protected by government regulations.
Internal data
This data is accessible only to internal company personnel or internal employees with access authorization. For example, internal memos or reports, business plans, etc.
Public data
These data are freely available to the public. It can be freely used, reused, and redistributed without consequence. An example would be press releases.
Does your marketing team know? At least you should assume so, since all employees have completed security awareness training.
What exactly does ISO 27001 do here?
Nothing new: Organizations that are serious about data protection should stick to the ISO 27001 standard.
Control Objective A.8.2 is titled "Information Classification" and directs organizations to "ensure that information receives an appropriate level of protection.“ ISO 27001 does not explain how to do this, but the process is not that difficult.
Record your assets in an inventory
First, compile all the information in an inventory (or stock list). Here it is noted who is responsible for them and who is the owner! (This does not necessarily always have to be the same person). Furthermore, it must be documented in which format they are available (electronic documents, databases, paper documents, storage media, etc.).
Classification
You will next need to classify the information. Typically, asset owners are responsible for this, but it can't hurt for management to establish policies based on the results of the organization's ISO 27001 risk assessment. Information that poses greater risks and could therefore cause greater damage to the company should generally be given a higher confidentiality level. Be aware, however, that this is not always the case. It is ubiquitous that sensitive information must be made available to a wider range of employees in order for them to do their jobs. This must be considered and assessed accordingly.
Labelling
After the information is classified, the owner must establish a system for labeling the information.
Different procedures are required for digitally and physically stored information. It is important that these procedures are consistent and clearly defined.
For instance, you could decide that digital files and also paper documents should be marked and filed according to a certain pattern!
Handling
Finally (for now), you need to establish rules for protecting individual information assets based on their classification and format.
Let's go back to the paper-document example for a moment. You can specify that internal paper documents should be kept in an unlocked cabinet. Cool, no one is looking for the cabinet key anymore, which was misplaced anyway, which by the way reveals another security issue, but back to the topic. So all employees have access at any time. Everyone is welcome!
Restricted information (let's continue thinking in the analog paper world) should be kept in a locked cabinet, and confidential information in a secure place. Who gets to keep the key to it and actually pass it on to whom. Continue to supplement the guidelines.
Sometimes it happens that Rosi, the office manager, has to deliver documents by mail or even has to act as a courier. Therefore, additional rules should be set up for data that could be on a transport route.
Bottom line: the process is not sooo simple, especially when you take a closer look at information access and data security regulations. Nevertheless, it is important for IT administrators and executives to know and understand the compliance rules and regulations, as well as the best approach to security and access rights assignment within the organization.