Best practices for writing an information classification policy

In my last Security Policies Tip, I offered a standardized framework for helping users determine how to classify information assets. Part of that framework includes classification categories such as high, medium or low. These specific categories do not necessarily meet the needs of every organization, and you need to decide what works best for yours. When developing your organization's information classification policy, there are three best practices that you should keep in mind.

  • Keep the number of information classification categories to as few as possible. The more categories that are available for the employees to select from, the greater the chance for confusion and incorrect assignment. Normally, three or four categories should be sufficient to meet your organizations' needs.

  • Avoid the impulse to classify everything the same. In order to simplify the classification process, some organizations have flirted with classifying all information assets Confidential. The problem with this concept is that confidential information requires special handling. If your organization finds that confidential information is disclosed in an unauthorized manner, it is necessary to show the steps taken by the enterprise to protect and keep secret that information. Furthermore, if all information records are classified as confidential, then everything in the organization requires special handling. This adds an enormous cost to the handling

    Requires Free Membership to View

  • of information resources and violates the concept of placing controls only where they are actually needed. The organization wastes limited resources protecting assets that do not really require that level of control.

  • Finally, avoid taking the information classification categories developed by another organization and adopting them verbatim for yours. Instead, use the information created by other organizations to assist in the creation of your organization's unique set of categories and definitions.

The information classification policy of an organization must meet the needs of the current business climate. By applying the KISS (Keep It Simple Sweetie) concept to policy development, employees have a better chance of understanding and implementing the concepts presented in the policy, and thus protecting valuable information assets.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.

  • You shouldn't be developing your organization's security policies by yourself. Find out who should be sharing the responsibility in this tip.
  • Learn what components should be included in each of your Tier-1 Policy statements.
  • Thomas offers an overview of Tier-1 Policies beginning with this tip.

This was first published in August 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.