“One can only protect something, if they know what is it they need to protect, where is it, who is accessing it and how, how is it being used and to what level should they protect it”.
The above principle holds true, more than anything, for Information Security professionals. Primarily, because to secure any information they first need to answer each of the questions mentioned above. To state it in simpler terms, we can’t protect what we don’t know.
A major challenge for InfoSec professionals is to identify information assets which need to be protected and classify them accordingly. Also known as Information asset identification and classification process. Identifying the hardware part of information assets is comparatively less daunting than identifying and classifying the information that resides on the hardware.
In any organization, gigabytes of information gets generated every day. How would you distinguish the sensitive from non-sensitive? One way of doing it is to have a well-defined, comprehensive, easy to understand Information Classification Policy in place and mechanisms to enforce it. These mechanisms may vary from simple techniques like water-marking the files to using sophisticated solutions to automatically classify the information based on certain rules. Irrespective of which mechanism an organization employs, a critical part of the process are information owners.
It is essential that information owners not only understand the organization’s Information Classification Policy but also play an active role in implementin it. An interesting question that arises is, how would you get them to implement it? For an organization implementing such a process for the first time, this could be a humongous task because it require employees to cultivate the good habit of classifying information. And it’s hard to develop good habits.
One approach could be to Incentivise, Hammer and Automate. Influence their behavior by providing them with certain incentives to classify the information, hammer the message onto them until the classification becomes their second nature and provide them with automated means to do it.
Incentives could be monetary or psychological. An example of monetary incentives would be to assign certain percentage of employees’ KRA to information classification. The better they do it the better their reward would be. An example of psychological incentive would be to implement a wall of fame or electing an information champion every month.
With incentives in place, an organization needs to make sure that it’s employees are aware of their responsibility to classify information. This could be achieved through message hammering technique. Message hammering means to repeatedly remind them of the process, it’s importance and their role in it. This is critical in early phases of the implementation of Information Classification Policy else they might forget about it in due course. Message hammering is highly effective when done from top to bottom. Workshops, desktop backgrounds, danglers are some ways through which this could be achieved.
As with any other process, certain automation could go a long way to make this process a success. First and foremost, organizations should provide means through which information owners can refer to various classification levels and their descriptions in timely manner. Expecting them download the policy from intranet every time they get stuck doesn’t count as one. Integrate classification in applications. For example, organizations could create an information classification plugin for Microsoft Office which would remind the user to classify the information before closing any document. A more sophisticated approach would be to implement a software solution which could automatically classify the information based on certain rules. The simpler the process the better would be it’s acceptability.
As I wrote earlier, gigabytes of information is generated daily, therefore it would be impractical to expect information owners to classify each and every piece of information they create from day one. This would simply overwhelm them and make them abandon the classification task altogether. Start by focusing on most critical information first and be patient. Your efforts and patience would be rewarded soon in the manner of well classified data.
Has your organization implemented or is in process of implementing an information classification process ? Share your experience with us. What approach your organization took? How was the program received by end users? Lessons learnt etc.
Send it to us at csc[@]yaksas[.]in or leave it in comments below.
Uday Mittal (OSCP, Associate CISSP, DCPP) is the founder of Yaksas CSC. He has over 4 years of experience in dealing with various issues related to cyber security. He is actively working towards educating people on cyber security risks and steps to mitigate them. He’s also a member of (ISC)2, ISACA and DSCI.