Welcome to the SecAware blog

I spy with my beady eye ...

21 Oct 2021

Topic-specific policy 9/11: information classification and handling

I'll admit up-front that I have very mixed feelings about the utility and value of classification as a form of control, at least in the civilian/commercial world outside of the government and defence realm anyway.

On the one hand, it is (or rather it should be, thanks to the policies, procedures, guidelines, training and awareness materials and activities) reasonably obvious how to handle correctly classified and labelled hardcopy documents. Computer data - not so much, unless you are using mil-spec classified systems and networks with all manner of mandatory hard-coded built-in bullet-proof controls. 

Do your corporate information security controls include automatic rifles and attitude? Are you at the very top of your game?

On the other hand, even in mil/govt circles, classification and labelling can be tricky and consistency is always an issue. Each level or category of classification covers a range, a spectrum of information risks. Individual items of information falling at any point within the range are likely to be classified, labelled and handled in much the same way - which may not be appropriate in every case. What to do with unlabelled and/or unclassified or misclassified information is another concern, along with classification reviews, as well as the tendency to over-classification which impacts the availability of information for legitimate purposes. Finally, anything marked "TOP SECRET" in big red capitals is surely a magnet for spies, spooks, opportunist thieves, hackers, crackers, journalists, nosy/disaffected workers, fraudsters, criminals ... and even auditors on the prowl. It might as well say "READ ME!". 

So, although we offer a classification policy template, I'm reluctant to recommend classification as a general approach unless it is mandated for your organisation ... in which case your class/category definitions, processes and handling rules are probably already specified by whoever mandated it (perhaps in law), so you would need to check/update the template accordingly.

In summary, the template is here, a basic classification policy starter for just $20. It's not one of the topic-specific policy examples I personally would have selected for the standard, though, and I have serious reservations about the corresponding controls in section 5. To me, it's an outdated, unhelpful and largely irrelevant approach - except perhaps for the military (and I'm not entirely sure about that!). 

Remember, the topic-specific policies in ISO/IEC 27002:22 are merely illustrative examples, suggested not required, an incomplete menu of possibilities rather than a recipe for success. The same point applies to all the other controls in the standard. They may not be appropriate and worthwhile for your organisation. You may have a better approach in mind or already in place. You probably have other priorities, given your business situation, including of course important things to do other than manage information risk and security per se. ISO/IEC 27001 and other ISO27k standards (such as '27003, '27004 and '27005) help by describing a structured governance framework within which information security policies make sense. It's down to you, though, to craft an approach that not only makes sense but works well in practice for your specific organisation.

No comments:

Post a Comment