All organisations handle information that is sensitive and confidential, which provides them with a competitive advantage. The need to secure information is more pressing than ever, with increasingly prescriptive mandates that demand protection for information and, increasingly, sophisticated criminals for whom such information is a goldmine, writes Colin Tankard, pictured, Managing Director, Digital Pathways, a data management product company.
Governments have long demanded that the information held by its agencies be adequately protected and many have laws in place that restrict access to only those individuals with the proper authorisation. In some countries, such as the US, data is classified into three levels – top secret, secret and confidential – along with a fourth category, for official use only.
In the UK, the classification system, known as the Protective Marking System, has long been divided into six classifications. However, in an effort to reduce the complexity and confusion surrounding the use of each classification level, this was streamlined, in 2014, to contain just three levels of classification – top secret, secret and official. Whilst the system does not specify particular security controls that must be in place, data owners are expected to assess the risks associated with each piece of information and to make decisions regarding who should be allowed to access it.
Organisations also benefit from the use of these classifications to safeguard information, such as intellectual property and confidential communications, as many security systems are inadequate at preventing accidental disclosure by careless users with legitimate access. Although a Data Leakage Prevention (DLP) failure, to catch a particular breach, can be classified as an ‘error’, the user who accesses and distributes the information is the real problem. Asking users to classify each file does help to improve the highlighting of the source of the problem i.e. users who lack awareness of the proper security procedures as set out by the company.
Common data-breach accidents include such things as sending sensitive data in an email or attachment, accessing data from unsecure public sources, and inappropriate sharing of information to personal email and devices. Although a DLP system is vital to providing a ‘second look’ when these mistakes occur, a lack of classification may cause some breaches to slip by. Even if a DLP system does catch the breach, there is usually no informative response to help users remediate or learn from their error.
A classification tool, however, consistently reminds users of data-security policies each time they save a document or send an email. By requiring users to identify the sensitivity of the information, data security remains constantly top of mind.
And by checking the selected classification against the email content and attachments, classification tools can immediately identify possible breaches before the email ever leaves the user’s control.
Protective marking can help in governance and compliance efforts too. Any organisation looking to achieve certification with the ISO 27000 set of standards, for information security management systems, are required to classify their information assets according to their value and, criticality, to the its business operations. The protective markings often used are confidential, restricted, internal and public.
Even where the use of protective marking systems is not mandatory, organisations that implement such systems will be better able to manage risks associated with information access throughout the lifecycle of that information, from its creation to long-term storage and eventual destruction. They will then be able to see and control who accessed what data, what they did with it and what the end result was, providing better accountability for how all information is handled. Classification provides several other benefits, beyond enhancing DLP that should not be overlooked and these include:
Interoperability with the installed security platforms; persistent classification metadata offers the ability to trigger other protection systems on the basis of classification, such as the automatic application of Microsoft Active Directory Rights Management Services (RMS) or S/MIME protection for email.
Data-retention management: classification simplifies data retention because it provides more information to a content-archiving system and enables users to process easily what documents are confidential or public when making decisions about the appropriate retention period. Classifications can include date or status fields that, when filled or edited, can instantly update the retention or disposition status.
Email content: Email text often contains sensitive information. By checking the email’s classification level against the email content, it’s possible to alert users when they are about to send information which conflicts with company policy.
Email and document marking: classification can enable the application of custom headers and footers, watermarks, email subject-line marking, email message labeling or dynamic disclaimers, to mention a few. These markings remind users of information sensitivity, which promotes appropriate handling and controls.
Classification markings on file icons: users can quickly identify the sensitivity of a document by the icon without having to open the file.
E-discovery: classification helps organisations avoid accidentally including information in an e-discovery process. This speeds up any data discovery projects and avoids missing sensitive data with a search that includes unnecessary files and folders.
Deployment of protective marking solutions does not need to be an onerous task. One strategy is to place a ‘line in the sand’ and say any document or email that is produced from this point on must be marked. Anything below the ‘sand line’ is left unmarked unless it is opened, when it will move above the ‘sand line’ and need to be marked.
The process of marking is very straightforward for users as they are prompted to take action and mark the document or email and will not be allowed to save or send if it is not done. This is where training will be required in order to educate the users as to what may be deemed as secret verses public but, in most cases, the users fully understand the demarcation of what is sensitive and what is not for the business.
Information is a premium for any organisation and keeping sensitive information secure and adequately protected is a must. Wise organisations should implement a strategy of using protective marking now to reduce the risk that they will become the next headline.
