Chief information officers need to take a leading role
in setting up formal
information classification schemesto stop
them over-engineering them to comply with security regulations,
according to a report from the Information Security Forum
(ISF).
The
ISF
said that information classification systems were overly
complex. "As a result they rarely deliver business benefits and are
often simply ignored," it said.
Good information classification prevents over complicating
controls, it said. This cuts the costs and resources needed to
protect information.
"Information classification can also help to enforce better
access control policies and demonstrate compliance with data
protection and privacy legislation as well as regulations such as
HIPAA and
Gramm-Leach Bliley," it said.
The ISF said participation was essential from HR, Legal, IT and
Audit, along with board support. "Having senior managers with a
shared strategic vision and understanding of information
classification and the value it can deliver is critical to overcome
budgetary and organisational issues. It is also vital to run a
successful pilot project to show a 'quick win' to demonstrate the
benefits," said Nick Frost at the ISF who wrote the report.
Frost said information classification requires a consistent
process to determine the level of confidentiality of a piece of
information, the development of techniques to communicate that
classification, and practical measures to protect it.
Frost said, "Information exists in many different forms, from
paper documents and verbal communications to the masses of
electronic data stored, transmitted and processed. Although
introducing an effective enterprise-wide scheme is daunting,
organisations can no longer afford to ignore its importance if
embarrassing data losses (such as the
HM Revenue & Customs incident) are to be avoided."
The ISF recently published an upgraded Standard of Good Practice
for Information Security, which is available free to non-members at
the ISF Standard
website.