One particular challenge I keep coming back to is defining what “confidential” means with reference to data. What is the difference between “confidential” and “restricted” and “private” ? I also have the term “High Loss Impact” (HLIP) in use and if I go around the business I’ll probably find a whole lot more as well in a dozen different languages.
Clearly if I want people to handle data correctly then the definitions need to be right. From a global corporate governance perspective the problem is that there does not seem to be a single definition that can be used, for instance in the USA that also equally applies to France and China.
I like to use HLIP as the term of choice because that seems to cover everything that might cause trouble if it were to be compromised regardless of whether it’s personal data or business related.
Classification schemes are supposed to be based on the value of the data asset being protected but that value is subjective and, in these days of heightened attention of any and all data breaches, often under-rated. On the other hand, you can’t simply bag everything up as confidential and lock it in a cupboard because at some point, somebody needs to work with, refer to, copy, print, and eventually dispose of the data.
So, I’ve taken a path of least resistence. I know the business and I know the data being handled so instead of focusing on the labelling I’m focusing on the content and prescribing process by example. The documentation details examples of the different categories (e.g. financial data, customer data etc) and the different forms (e.g on paper, in an electronic spreadsheet etc) and defines a step by step process for what to do with it. Sort of like a cook-book.
That’s not to say that I’m ignoring the fact that data should be labelled with a classification. Far from it. However, with the right communication of the processes we should be some way towards ensuring that all data is being appropriately handled. Make sense?