Manage Learn to apply best practices and optimize your operations.

Best practices for writing an information classification policy

When developing your organization's information classification policy, there are three best practices that you should keep in mind.

In my last Security Policies Tip, I offered a standardized framework for helping users determine how to classify...

information assets. Part of that framework includes classification categories such as high, medium or low. These specific categories do not necessarily meet the needs of every organization, and you need to decide what works best for yours. When developing your organization's information classification policy, there are three best practices that you should keep in mind.

  • Keep the number of information classification categories to as few as possible. The more categories that are available for the employees to select from, the greater the chance for confusion and incorrect assignment. Normally, three or four categories should be sufficient to meet your organizations' needs.
  • Avoid the impulse to classify everything the same. In order to simplify the classification process, some organizations have flirted with classifying all information assets Confidential. The problem with this concept is that confidential information requires special handling. If your organization finds that confidential information is disclosed in an unauthorized manner, it is necessary to show the steps taken by the enterprise to protect and keep secret that information. Furthermore, if all information records are classified as confidential, then everything in the organization requires special handling. This adds an enormous cost to the handling of information resources and violates the concept of placing controls only where they are actually needed. The organization wastes limited resources protecting assets that do not really require that level of control.
  • Finally, avoid taking the information classification categories developed by another organization and adopting them verbatim for yours. Instead, use the information created by other organizations to assist in the creation of your organization's unique set of categories and definitions.

The information classification policy of an organization must meet the needs of the current business climate. By applying the KISS (Keep It Simple Sweetie) concept to policy development, employees have a better chance of understanding and implementing the concepts presented in the policy, and thus protecting valuable information assets.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.


  • You shouldn't be developing your organization's security policies by yourself. Find out who should be sharing the responsibility in this tip.
  • Learn what components should be included in each of your Tier-1 Policy statements.
  • Thomas offers an overview of Tier-1 Policies beginning with this tip.

This was last published in August 2004

Dig Deeper on Data security technology and strategy