3 December 2013 | Nick Rafferty
A methodology for properly classifying information risk is the first rule of designing an effective supplier assurance programme. It may sound obvious but in practice not many organisations do it. Fewer still do it well. But unless your programme is based on a clear understanding of the value of the information you have stored, along with your regulatory obligations, it is very easy to end up with a one-size-fits-all approach that treats every supplier the same.
Here are some essential guidelines, which will help ensure information is classified correctly.
Proper classification forms the foundation from which you can start to identify which suppliers represent the greatest risk to your organisation's information assets.
When drawing up a checklist the first task is to decide what information is most sensitive to your business and what is mandatory to protect from a regulatory standpoint. You then need to look at which information is shared with suppliers. Suppliers should be assessed against this short checklist to establish the type and volume of information they handle on your behalf. You need to know what they have of yours that has value and who they are in turn sharing it with.
This will enable you to audit all suppliers quickly and produce a rank ordered list of suppliers by information risk. You know which ones have the most sensitive information and you are able to treat them differently according to their merits. All information, regardless of its classification, should be protected from unauthorised alteration.
Classification of information broadly falls into three main categories (but can be as granular and specific as the organisation deems necessary):
● Confidential: This category refers to sensitive information that qualifies for the highest degree of protection. Its availability should be confined to those with the highest-level access rights and only disclosed with the express consent of the most senior responsible individual – usually the data or information security manager. Where third parties are concerned, a signed confidentiality agreement is required before this class of information can be shared. This is necessary when unauthorised disclosure of this information could seriously compromise the organisation – for instance from a financial, legal, or public image perspective. Examples of the type of information that would fall into this category are dividends and share related information, personally identifiable information, patents and other intellectual property.
● Internal: This class of information concerns aspects of the business operation not meant for public disclosure. Access to this information is freely available to all employees. If leaked the information would be unlikely to cause serious difficulty but would be subject to a confidentiality agreement before sharing with third parties. Company policies and standards and operational procedures are good examples here.
● Public: The third and final main class of information requires no special protection or rules of use. This information is suitable for public distribution. Examples may include press releases, marketing literature, company annual reports and so on.
The next set of classification guidelines relate to how information should be handled and protected. Each information category has separate handling and protection rules, which are the responsibility of the risk manager and/or information/data security manager to enforce. All confidential information stored on the company’s IT systems has to be protected by strict access controls to ensure it is not improperly disclosed, modified, deleted or otherwise rendered unavailable. These rules extend to prohibiting employees from recording or sharing the information in any way, via any medium. Even access to any office, computer room or work area where confidential information is stored must be strictly controlled. The handling and protection guidelines govern all stages of a digital asset’s lifecycle from its creation and storage, through to its eventual deletion.
The final set of procedures relate to how information is labelled to ensure it is handled in line with its assigned classification and apply equally to physical and electronic assets. For every classification type there are prescribed processes covering copying, storage – whether by post, fax, internet or e-mail – and end-of-life.
All outputs, whether printed reports, screen displays, recorded media (tapes, disks, CDs, DVDs, cassettes), or electronic messages and file transfers, relating to confidential information must be appropriately labelled to reflect its classification according to the rules that have been agreed. Physical labels are perfectly adequate in the majority of cases. But some information assets, such as documents in electronic form, cannot be physically labelled and therefore some form of electronic labelling is needed. If possible all printed confidential documents should be given a clear sensitivity label on the bottom right-hand corner of each page or a watermark that indicates the sensitivity classification.
Information classification helps employees to understand the relative value the organisation places on different parts of the business. Once information is classified you can draw up a list of guidelines that dictate what can be done with each category of information – both internal and external to the organisation. Those with the highest rating will be most restricted – only a privileged few will be allowed to see it – while those with lower ratings will be more universally accessible. This must be well communicated to employees and assessed for understanding within the organisation.
When applied to a risk assurance programme it allows you to distinguish between suppliers so you can focus your efforts on those suppliers that represent the greatest risk to your organisation – according to the classification rating you have put on the information you are sharing with them or that they have access to.
☛ Nick Rafferty is COO at SureCloud