Managing data - getting the definitions right

One particular challenge I keep coming back to is defining what “confidential” means with reference to data. What is the difference between “confidential” and “restricted” and “private” ? I also have the term “High Loss Impact” (HLIP) in use and if I go around the business I’ll probably find a whole lot more as well in a dozen different languages.

Clearly if I want people to handle data correctly then the definitions need to be right. From a global corporate governance perspective the problem is that there does not seem to be a single definition that can be used, for instance in the USA that also equally applies to France and China.

I like to use HLIP as the term of choice because that seems to cover everything that might cause trouble if it were to be compromised regardless of whether it’s personal data or business related.

Classification schemes are supposed to be based on the value of the data asset being protected but that value is subjective and, in these days of heightened attention of any and all data breaches, often under-rated. On the other hand, you can’t simply bag everything up as confidential and lock it in a cupboard because at some point, somebody needs to work with, refer to, copy, print, and eventually dispose of the data.

So, I’ve taken a path of least resistence. I know the business and I know the data being handled so instead of focusing on the labelling I’m focusing on the content and prescribing process by example. The documentation details examples of the different categories (e.g. financial data, customer data etc) and the different forms (e.g on paper, in an electronic spreadsheet etc) and defines a step by step process for what to do with it. Sort of like a cook-book.

That’s not to say that I’m ignoring the fact that data should be labelled with a classification. Far from it. However, with the right communication of the processes we should be some way towards ensuring that all data is being appropriately handled. Make sense?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I'm starting to wonder whether the Information Security industry is getting hung up on the labelling, rather than the handling process. Stating "Not to be distributed outside XXX department before 29 May 2008" seems to me to be much clearer and simpler than debating whether it is "sensitive" or "confidential" or "high loss". Defining the handling process cuts through the need to estimate potential loss, or define detailed access control requirements, as implied by traditional labelling. And also bypasses distinctions of "data at rest" and "data in motion" or "electronic" or "hard-copy information". And your process of defining by example is just what's needed to implement this.
Thanks Andrew - I totally agree. Too many generic compliance guides and not enough examples of what to actually do.