How Do You Go About Your ISO 27001 Information Classification?

A classification scheme can have any number of classifications, but in order to be practical, most organisations are likely to stick with three or four levels.  A typical scheme may contain the following levels:

• Secret
• Confidential
• Public.

So, if you’re developing an information classification programme, where do you start?  As a first step, all information needs to be recorded in an inventory and allocated to an ‘owner’ (best to allocate this to a role rather than named individual).  Each group of information assets needs to go through a risk assessment process, based on the holy trinity of confidentiality (making sure only those who should be able to see it, can see it), integrity (the information is up to date and accurate and free from corruption) and availability (it can be seen by those who have a right to see it, when they want to see it).  Information is often scored on a 1-3 (high, medium, low) scale, based on the impact the organisation would suffer if the information were to be breached, although there are many examples where greater granularity and detail may be provided.

Under control objective A.8.2 of ISO 27001, you are required ‘To ensure that information receives an appropriate level of protection in accordance with its importance to the organization’.  This includes (under A.8.2.1) ensuring that ‘Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification’.  As mentioned previously, most organisations tend to classify their information based upon its confidentiality requirements, e.g., the impact that the organisation would experience if an unauthorised disclosure was to take place.

Once we’ve decided how important the information is, we can start looking at strategies to protect it.  Each classification will have a basic set of information handling rules which should cover the whole lifecycle of the information, i.e., from creation through to disposal covering who can see it, how it should be stored, how it should be communicated (both physically and electronically) and how it should be disposed of when no longer required.

Staff will need to be trained to handle information appropriately as determined by its classification.  In order that they can do this, the information will need to be labelled in such a way that it is immediately apparent what classification it bears and thus what type of handling is required.  The most important thing is that there is an easy-to-understand approach such as the three-tier classification scheme mentioned above, coupled with a clear set of guidelines supported by a policy which explicitly states how information should be classified and, once it has been, what can and can’t be done with it.  Remember, this approach needs to be regularly revisited and reassessed for currency and effectiveness.

‍

The key, as with most things, is to define an approach, keep it simple, and then communicate it!

If information is classified ‘top secret’ we should be very clear within the handling guidelines who is allowed to have access, how it should be communicated (including when in hardcopy and electronic), where and how it should be stored and what happens to it when it is no longer required.  

The most significant example in history that substantiates how classified material, and the access to it should have been more adequately managed involves the activities of Edward Snowden.  

In May 2013, Snowden left his job as an analyst for the US National Security Agency (NSA) in Hawaii and flew to Hong Kong.  Snowden had been employed as a contractor in various roles and had raised concerns about the ethicality of the programmes that he had been employed upon; these concerns went ignored.

In early June, Snowden began to release unprecedented amounts of highly-classified material to journalists.  The content rocked governments on 4 continents.  The intelligence agencies of the US, UK, Canada, New Zealand and Australia – the vaunted 5 eyes intelligence communities faced acute embarrassment.

So how could that that have happened?

Edward Snowden was employed by the NSA as an employee and sub-contractor.  He held Top Secret security clearance, which provided access to much, but not all, classified information.  He also held enhanced privileges as a system administrator.  This provided the additional access to any file that he wanted; the combination of these factors meant that his actions went undetected.  

If appropriate handling guidelines relating to this high-grade information had been in place, then Snowden’s actions would have drawn attention; they were not.  Additional controls from ISO 27001 relating to the segregation of duties (A.6.1.2) would have also mitigated against this activity and prevented a security breach on a scale that is unlikely ever to be fully revealed.

The combination of these controls would have allowed Snowden to carry out his daily tasks but limited his access to information not relevant to his role.