Information Classification – What does “Confidential” mean?

An important aspect of protecting critical electronic information is knowing what information needs to be protected, what doesn’t, and who are the authorized recipients. Countless organizations stamp “Confidential” at the bottom of their documents. What does that mean? Everyone inside the organization can access it, but nobody outside? Or is it only full time employees inside the organization? Or is it anyone internally plus anyone externally that has some sort of non-disclosure agreement(NDA) in place? If there isn’t a widely understood definition in place internally and externally – sensitive information is no doubt going places it shouldn’t be.

A basic system of marking documents can help. It’s often called information classification, sensitivity classification, sensitivity labels, or even data classification. A short list of tags or labels is used to define the sensitivity of the document and is tied to an intended audience. Large organizations will certainly have more than one label, but if you create too many – it becomes too confusing for a document owner or auto classification system to determine which one to use to apply and stamp on a document.

Here are a few recommended labels to get started. You might want to prefix the labels so recipients know it’s your system of classifying documents, e.g. XYZ Public, or customize them more for your organization.

1. XYZ Public. Documents that are for public consumption and have no risk to the company if they end up some place they shouldn’t. It is also usually assumed that a document that does not have a label on it – is public.

2. XYZ NDA Confidential. For documents that should be viewed only by recipients with a non-disclosure agreement.

3. XYZ Employee Confidential. For documents that should be viewed only by recipients who are employees (full or part-time). Depending on your organization, you may want to create two tags – one for full-time, one for part-time. Could be something like “XYZ Employee Confidential” and “XYZ Regular Employee Confidential”

4. XYZ Insider Restricted. For publicly held companies, there is a lot of sensitive information that cannot be disclosed externally or to the general employee community.

5. XYZ Management Restricted. For documents that should only be viewed by the senior management of an organization, and not the general employee community.

6. XYZ Board Restricted. For publicly held companies, with electronic “board books” this classification designates the board of director community.

7. XYZ Private. For documents with personally identifying information that typically includes health, financial or other personally identifiying information.

For strategic alliances or mergers & acquisitions, additional classifications should be created specific to that initiative. For example, “XYZ Project ABC”. By using a codename, the existence of the label does not expose the project itself.

A color coding scheme can also be used with these labels to help users remember what is the least confidential and most confidential of the classifications. For example, a spectrum from Green, through Blue, Yellow, Orange, to Red. Some organizations will color the label, or even the entire cover sheet of a sensitive document.

With a basic system like this in place, it’s much easier to classify information as part of a data loss prevention (DLP) strategy. Further, when you do find a document that has leaked to someplace it shouldn’t, you now have the ability to take corrective action internally or legal action internally. Otherwise, if you discover an insider or an outsider that has your sensitive information, but it isn’t marked – it will be significantly more difficult to take action if the recipient of that information can claim it wasn’t sensitive.

Some other things to think about are:

- What is the default label for all documents? Should it be Public? Or should it be Employee Confidential? Should it be set up that way for an entire organization? Or should different departments have different default classifications?

- How will you identify which internal and external users are in which classifications? Directories such as Active Directory or LDAP are a good place to store the group membership information, especially when they can contain organization reporting structures and/or roles as part of the group member lists. So instead of having to specify every employee or recipient individually, whole divisions and departments can be included and dynamically updated as the org chart changes.

- How will you enforce access to labeled information? File servers, portals, and content management systems are typically used for this tied to the directory of users and their corresponding access. You can go one step further by utilizing enterprise rights management, from a product such as Adobe LiveCycle Rights Management (formerly known as Policy Server), to persistently enforce a security classification – independent of storage and independent of transport. So after the sensitive document leaves the secure storage and/or secure transport mechanism, it maintains it’s access control at the data level. Should that document be accidentally or maliciously forwarded to someone that shouldn’t have access – the file won’t open.

- How will you mark sensitive documents? Document templates are a good way to start, including those in presentation and word processing programs. The process can become much more automated when tied to enterprise rights management. A policy from LiveCycle Rights Management can automatically apply a dynamic watermark to a document corresponding to the classification label. It can also show the name of the user that is opening the document and the data/time the document was viewed. If printing of the document is allowed (which can also be restricted) – the dynamic watermark persists onto the document as a detective control. If that physical document ends up some place it shouldn’t, you can track down how it got there.

- How will your users know who is in what classification? In addition to posting the classification labels and having an awareness campaign, the employee directory structure tied to enterprise rights management can enforce the classification labels even if the sender doesn’t know whether the recipients are allowed to view the document. For example, the insiders in an organization are typically reminded on a regular basis that they cannot trade the company stock anytime they want – and they are restricted to certain trading windows. Everyone that is identified as an insider is frequently reminded of their insider status. However a common vulnerability is that an insider may not know who all the other insiders are in a very large organization. That makes it difficult to determine when business critical information should be shared to adjust the business operations. By using an insider restricted label, tied to a directory, tied to enterprise rights management – an insider restricted document cannot be opened by someone that isn’t specifically tagged as an insider. If such a document is accidentally or maliciouslly distributed to someone – it remains secure.

- Need additional enforcements beyond just opening the document? Again, enterprise rights management provides persistent security to the document to not only restrict who can open a document, but also what they can do with it. For example, you can restrict printing, modifying, and copy & paste clipboard actions from a protected document.