The Information Classification Process

Not all information is created equal and no business has infinite resources available to protect all its information. The reality is that, if information is the most important asset in a company, each business must classify or prioritize its information in order to properly allocate security resources to protect that information. In order to properly classify business information and implement adequate controls, the following steps are recommended:

  1. Define the information you are looking for. You need a foundation from which to start, otherwise there is an increased likelihood you will miss important sources of information. For example, the obvious places to look for information are on computer systems and in file cabinets. However if you going to conduct a thorough inventory, you need to consider all data sources and utilize a broad enough definition that includes all significant sources.
  2. Develop an information classification policy. Develop common standards for defining and categorizing information based on risk.
  3. Designate Information Owners. Company policies and procedures must create clear lines of responsibility for inventorying, categorizing and protecting information.
  4. Compile an inventory of all information assets. Once you have determined the types of information you need to identify and have established a methodology for prioritizing that information, you can begin the process of inventorying your data.
  5. Define the minimum levels of protection Next, you need to identify and document the minimum controls the Information Owner must use to protect the information, based on its classification.

©2009 ISRMC, LLC