A colleague in a large organisation recently asked me for advice on the design of their security classification system. On the surface this might seem a simple task, but I can assure you that there’s a lot more to this subject than meets the eye. And I can speak from experience, having designed enterprise classifications schemes for two very large organisations. But it's generally a rather black art, i.e. a relatively obscure subject area. Because few practitioners ever get the chance to research and develop the design for a classification scheme. And it’s not something you can learn from a book or from a university training course. Which is a shame, because classification schemes are a key, underpinning framework for all organisations. And there’s a lot more to them than most people realise.
I first encountered the use of security classifications in the Government field. I was highly impressed by their extensive and highly comprehensive system of security classifications, codewords, caveats and privacy markings, all underpinned by the most carefully-framed rules, procedures and legislation. These systems are quite an achievement, almost a minor work of art. Though the jury has to be out on whether the average civil servant can actually keep track of all this.
But national security is not the major driver for most organisations. Outside the defence and intelligence fields, the primary reason why companies first established classifications schemes was to safeguard their trade secrets. To enable them to uphold legal claims in a court of law. And the requirements for this are very different from national security. As one leading international IT vendor discovered a decade ago, in practice you only need a single classification to achieve this. And you don’t need to specify a standardised set of associated security controls. But in practice the demands of these two separate requirements (national security and trade secrets) have converged over the years. And conventional practice has tended to be based on 2-3 levels of classification, using similar-sounding labels, though with the Government standards generally operating one notch higher than the Industry ones.
The classification needs of organisations are richer, however, and they are changing all the time, as is the usefuless of classification schemes to help implement security requirements. In practice, such systems contribute a lot more than merely safeguarding selected secrets. Classification systems are a powerful mechanism for defining and communicating a set of options for implementing controls. Which might be to company staff, business partners or customers. They can also help to control the dissemination of information with varying degrees of sensitivity across enterprise, extended-enterprise or public domains.
Unfortunately classification schemes are not standardised. They often look similar. But close is not enough. In fact it can be positively dangerous. Words such as Confidential and Secret might mean different things to different organisations. And some classifications, such as Restricted, can present a particular problem because they might be lower than Confidential in some companies and higher than that in others.
Back in the ninties, we did set out to solve this problem when we developed the original Code of Practice, the one that formed the basis of BS7799. It seemed sensible at the time to move to a common standard. But we found that few organisations had any appetite for changing their classification systems. So we placed the idea on the back-burner and recommended a follow-up initiative. That led to a brief UK Government project to define a classification standard using a set of neutral labels such as SEC1, SEC2, etc. It produced an interesting report but the initiative was too ambitious for its time and it had insufficient support and publicity to make a real impact.
And who would actually want such a dull sounding set of classifications? In my view we’ve already dumbed them down enough. I much preferred the rather cozy wartime label of Most Secret to the more bureaucratic Top Secret. And I find that terms like Restricted simply don't convey the gravitas of the material. I vote we take a leaf out the book of the Avengers and adopt much friendlier and more serious-sounding titles, such as Top Hush and Button Lip. Or perhaps even the Ultra, Ultra Sensitive label used by Toby Esterhaus in Tinker, Tailor, Soldier, Spy.
