Report from the Information Security Forum: Data losses put focus back on classifying and protecting sensitive data
February 2008 by Information Security Forum
Recent high profile date losses have highlighted the need for better information classification and the implementation of data protection measures based on the level of sensitivity and confidentiality, according to the Information Security Forum (ISF). In its latest report, the ISF suggests that because many existing approaches to information classification are overly complex they rarely deliver business benefits and are often simply ignored.
“Traditional Information classification is characterised by the ‘Top Secret’ rubber stamp in James Bond films,” says Nick Frost, the report’s author and senior research consultant at the ISF. “Today, information exists in many different forms, from paper documents and verbal communications to the masses of electronic data stored, transmitted and processed. While introducing an effective enterprise wide scheme is daunting, organisations can no longer afford to ignore its importance if further embarrassing data loses are to be avoided.”
Information classification requires a consistent process to determine the level of confidentiality of a piece of information; the development of techniques for communicating the level of classification; and the practical implementation of measures to protect information accordingly.
But the benefits of successful Information Classification are considerable according to the ISF report. By ensuring that information is adequately protected, good information classification helps to prevent over- or under-engineering of controls, so reducing potential operational overspend and unnecessary drains on resources. Information Classification can also help to enforce better access control policies and be used to demonstrate compliance for legislation such as Data Protection and Privacy along with regulations including HIPAA and Gramm-Leach Bliley.
The report highlights that to achieve these levels of success requires participation across an organisation from HR and Legal to IT and Audit, along with Board level support. “Having senior managers with a shared strategic vision and understanding of information classification and the value it can deliver is critical to overcome budgetary and organisational issues,” says the ISF’s Nick Frost: “It is also vital to run a successful pilot project to show a ‘quick win’ to demonstrate the benefits.”
The ISF is a not-for-profit international association of over 300 leading international organisations, which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme and has invested more than US$100 million to create a library of over 200 authoritative reports along with information risk methodologies and tools that are available free of charge to ISF Members. For more information visit www.securityforum.org
In addition, the latest ISF Standard of Good Practice for Information Security has recently been published and is also available free to non-members at www.isfstandard.com.