One of the issues I come across when I’m working with a new client to improve their data security and, ultimately get them certified to the ISO 27001 Standard for Data Security, is how they classify and mark their data.
For example, perhaps the company has a policy that states that staff must not, under any circumstances, send Company Confidential Information to anyone outside the company. If they are transferring such information internally via email, they must always encrypt the file with an approved encryption method. But how can staff make the decision if there is no way of knowing what information is considered to be Company Confidential and what is for open distribution?
The starting point is usually to decide upon the basic classification levels of data. At a minimum, I would suggest that Open Distribution, Company Confidential and Sensitive/Personal Information are the primary classifications. Obviously, the company can decide if there are any additional levels required but the old KISS adage applies here (Keep It Simple Stupid!).
Once they have decided upon the levels of classification then the focus turns to how the data is marked. This is where there can be some confusion, as this ‘marking’ system is highly dependent upon the format of the data. Is it purely electronic, is it printed, or is it normally resident in one location?
In the days when everything was printed, there were some quite simple solutions to this conundrum. Sensitive/Personal data could be printed on a specific-coloured paper for example. If anyone saw pieces of that colour paper lying around they would know it contained Sensitive/Personal information and should be either safely stored or securely destroyed.
Electronic data is slightly more problematic. However, there are numerous solutions ranging from simple watermarks (that show up when the document is displayed) to metadata additions that can be checked automatically by email systems to prevent those documents from being transmitted.
There is no single solution but what this exercise does is focus the company’s attention on:
- what data they are holding,
- how important/sensitive/confidential that data is
- therefore who may access it and
- ultimately, they are allowed to do with it.
Work with Us
This is all part of what we, as an organisation, do to help our clients gain their all-important ISO 27001 certification. This certification proves to the rest of the world that they understand the importance of the data they hold and process. Also, that they take care to ensure its confidentiality, integrity and accessibility.