Security Classification for Information
A significant feature of risk management and information security is recognizing the importance of information and defining suitable protection and procedures necessities for the information. Not all information is equivalent and so not all information needs the same degree of defense. This has need of information to be consigning a security classification.
The first step in information classification is to recognize a member of senior management as the owner of the exacting information to be classify. after that extend a categorization policy. The policy should explain the unlike classification labels, describe the criteria for information to be allocate a particular label, and list the required security controls for each classification.
a number of factors that influence which organization information should be assigned include how much value that information has to the association, how old the information is and whether or not the information has become out of date. Rule and other authoritarian requirements are also vital considerations when classifying information.
Ordinary information security organization labels used by the business sector are: private, public, confidential, sensitive. Ordinary information security classification labels used by government are: Sensitive but Unclassified, Unclassified, Restricted, Confidential, Top Secret, and Secret. And their non-English equivalent.
every one employees in the organization, in addition to business partners, have to be skilled on the classification schema and understand the required security controls and handling actions for each classification. The classification a exacting information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to make sure the security controls necessary by the categorization are in place.