In order to ensure that all information is properly classified, it must have a designated owner to conduct the inventory, assign information to the appropriate category and determine the minimum level of protection. In a small business environment, issues of ownership rarely arise and there is little chance that data can become "orphaned". However, in large complex organizations information is often shared or moved through multiple organizations and, with each movement, the categorization of that information can change. For example, in a large organization, which group owns individual employee compensation data? Is it the business in which the employee works, the human resource shared service organization that manages the overall compensation procedures for the company or the technology organization that maintains the systems where the employee data is stored? You could argue that the business is responsible, since the business management sets the compensation for the employee. However, if the business is designated as the owner of the employee data, does it have enough power over the data to ensure the information is adequately protected? If the technology unit reports to the HR shared service organization, the business may have little leverage in dictating how employee data is protected on the computer systems.
In a perfect world, the HR organization should be designated as the owner of the information, since it has the responsibility to set overall HR procedures, including manual procedures to protect data at the business level, and the responsibility to direct the technology group as to the level of security required. In the real world, the logical owner of information is often unwilling to assume that role. Information ownership carries with it not only the obligation to inventory and categorize data, but the responsibility to identify and fund the systems and procedures to protect the data. As BISO you may find instances where the obvious business owner is unwilling to assume the role, because it lacks the expertise and budget to support the obligation. This will require adept negotiations with senior management and between multiple potential information owners to ensure the information is not orphaned.
The converse is also possible - you may find situations where a business is eager to take on more information ownership responsibilities than it should. For example, the technology unit may step forward and make sweeping decisions over the categorization of data stored and transmitted on its systems. The problem is that the technology unit is not in a good position to make determinations as to how the data is actually used in the business. For example, the technology unit will unlikely be able to determine the sensitivity of a phone number in an employee record. The phone number may be stored in a field labeled “Business Phone #”, leading to the assumption that the data is Internal/Public. However, the business may allow employees to work at home and the number could be an unlisted home phone number and the employee may assume that the business will not freely distribute it across the entire organization. As can be seen in the next paragraph, information may also take on varying classifications over its life cycle and only the business is in a position to determine which category is appropriate.
Information classification problems may occur when data, such as financial information, is prepared at the business unit level in a large complex organization and then moved up the financial control chain and consolidated and the division, sector and enterprise levels. While the data may start out as Internal or Confidential, at some point it is subject to regulatory disclosure restrictions and is classified as Restricted. The problem is determining who owns the data at the moment it moves from one class to another and as a result changes classification levels.
And if that is not complicated enough, consider the impact of the “Business Phone #” example above. 99.9% of all the phone numbers stored in that field may be business numbers that the company is willing to freely share with all employees. What then does the company do about protecting the .1% of the data that is sensitive? In a related example, 100% of the data in the field may be business numbers, but what if your business operates in the handful of countries where regulators are highly suspicious of any information, including innocuous business phone numbers, being shared outside the country’s geographic boundaries? Normally, most businesses devote few resources to protecting business numbers. Other than keeping the data from headhunters and limiting access to the direct line phone numbers of senior executives, corporate phone directories are freely shared across the organization and across the globe. What if a small percentage of this data can now only be shared within a single business or country? Imagine you are the BISO who must tell senior management that they will need to spend large amounts of money to implement automated controls over data that was intended to be freely shared.
There are no easy answers to these issues. However, your role as an Information Security Officer is to ensure that some level of management does take ownership, formally classifies the data and takes responsibility for funding and maintaining adequate security over the data. You will likely find that this is one of the most complex jobs for a BISO. It requires an extensive knowledge of the businesses practices and procedures, the ability to work with multiple organizations to determine how the information is handled, an understanding of automated and manual processes to protect the data and the ability to influence senior management.
©2009 ISRMC, LLC