Information Security Forum: It is time to take information classification seriously

Recent high profile date losses have highlighted the need for better information classification and the implementation of data protection measures based on the level of sensitivity and confidentiality, according to the Information Security Forum (ISF). In its latest report, the ISF suggests that because many existing approaches to information classification are overly complex they rarely deliver business benefits and are often simply ignored.

Information classification requires a consistent process to determine the level of confidentiality of a piece of information; the development of techniques for communicating the level of classification; and the practical implementation of measures to protect information accordingly.

But the benefits of successful Information Classification are considerable according to the ISF report. By ensuring that information is adequately protected, good information classification helps to prevent over- or under-engineering of controls, so reducing potential operational overspend and unnecessary drains on resources. Information Classification can also help to enforce better access control policies and be used to demonstrate compliance for legislation such as Data Protection and Privacy along with regulations including HIPAA and Gramm-Leach Bliley.

The report highlights that to achieve these levels of success requires participation across an organisation from HR and Legal to IT and Audit, along with Board level support.