Thursday, August 7, 2008

Data Classification - Time to catch up

After 12 years of protecting U.S. Government’s most sensitive and classified resources, data, personnel, and facilities, I have learned a great number of things. The television show 60 Minutes can do a year's worth of episodes purely on the mismanagement of funding alone at one unnamed facility that I worked at. Argue what you may about the U.S. Government, its spending habits, its leaders, its policies, its “big brother” mentality, or whatever else irks you, but know this: The U.S. Government is the king of data classification. It is better than everyone, including every business you have ever worked for: Fortune 500 companies, financial institutions, manufacturing businesses, utility companies, healthcare facilities, and retail industries.

How does one begin to protect information? Classify it. In order to determine necessary controls and measures that are required to protect information, we must first understand the value of that information. Once the value is understood, we can then determine the impact it will have if it becomes lost or compromised. Will its loss bankrupt our business? Will its compromise put us on the front page of the newspaper? This impact, in turn, determines how it must be protected.

There are dozens of different classifications used in the government. They include Top Secret, Secret, Confidential, Sensitive But Unclassified, , Export Controlled, Limited Distribution, and Restricted Data just to name a few. To take it one step further, the U.S. Government applies handling instructions (like NOFORN or ORCON) and a “Need-To-Know” philosophy to all of its information, meaning that even if I have a Top Secret clearance, I only have access to information that is required for me to fulfill the duties and responsibilities of my position.

Each of these classifications is assigned based on the value of the information and each different classification has it own individual set of instructions for proper handling and safeguarding the information. The higher the value of the data, the more stringent the controls are to protect it.

If your organization doesn’t classify its data, you are most likely not protecting it at a level commensurate to its value, and therefore make it vulnerable to loss or compromise. In data classification, the government reigns. Everyone else, including you, can’t keep up.

No comments: