Security Management Strategies for the CIOMost security environments have classification schemes that are used to define and determine the sensitivity of the resources contained within. These classification schemes usually define elaborate classification procedures, criteria and security mechanisms. However, one aspect that is overlooked far too often is that of declassification.
Declassification is the means by which out of date, obsolete or marginalized data is moved from a higher classification level to a lower one. Declassification is an important part of any classification scheme for several reasons. If all resources remain at their initially assigned classification level forever, then the value of each classification scheme is reduced. This devaluation occurs as resources age or the reality they represent changes so that those resources no longer warrant the higher level of protection offered by the higher classification schemes.
The security provided at the higher classification levels is also more costly than the security offered at lower classification levels. If resources are not declassified when they no longer need the higher grade of protection, then the organization is wasting money providing high levels of protection when it is not needed. By declassifying data as needed, each classification level retains its value and the security each level provides is the most cost effective possible.
A clearly defined declassification process should be outlined and included in
Requires Free Membership to View
the security documentation that outlines the classification structure. The declassification process should define when data is re-evaluated for a classification change, who has authority to recommend a classification change, the checks and balances procedures for validating that a resource should be re-classified, and the actual steps by which the label on a resource is changed and that resource is moved from one classification environment to another. About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in January 2003
Join the conversationComment
Share
Comments
Results
Contribute to the conversation