Classification of Information

Information is typically prioritized into three general categories (Restricted, Confidential and Public/Internal).

The categories are then used to determine the type and level of controls necessary to protect the information. For example, a technology company may be planning an announcement that it has developed a new type of computer chip that will likely revolutionize the industry and lead to a significant increase in revenues. The information on the date, time and place for the announcement is not that sensitive. If anything, the marketing department will want this information widely distributed to the media to build interest in the event. However, the company likely does not want a description of the product disclosed to the public until the announcement is made, especially if it will give an advantage to competitors. Most importantly, knowledge of the technical specifications and production techniques for the chip must be kept a secret known only to a few select employees.

If the company is small (assume 50 or less employees), there is little need for the business to adopt a formal program to classify the information, since all of the employees will be familiar with the product announcement and the sensitivity of the data and will understand their role in protecting it. As the number of employees in the company increases, the risk that an employee will disclose the information to an unauthorized person also increases. The more employees who know the product details, the better the chance that at least one of them will disclose the product details to friends or relatives in advance of the announcement. As the company grows in size, it is likely that employees will copy the technical specifications for the computer chip on to laptops, BlackBerries and USB flash memory devices so that they can work on the information at home or on the road. As the number of devices that store this information increase, so will the risk that these devices will be misplaced, lost or stolen.

The simple answer in these situations is for management to issue a notice to all employees listing the “Do’s and Don’ts” for the information.

Recently a new category (Personally Identifiable Information or PII) has emerged and created new challenges, especially for financial services organizations. Historically, PII fell into the Confidential classification and, as a result, a customer's Social Security Number (SSN) received the same level of protection as a business' marketing plans. That decision was logical - while businesses understood that both types of data were sensitive, there was little potential for a significant loss if they were compromised.

©2009 ISRMC, LLC