Printer Friendly

Why classify?

Why Classify?

ASK ALMOST ANY BUSINESS executive, "Who manages your information resources?" and you will hear "I don't know," "We've never thought about it," or "The systems manager."

Despite the real and increasing threat of information exposure or loss, many companies ignore the risk. In survey results published in August 1987, Computer World reported that less than 16 percent of banks, less than 8 percent of financial services businesses, and less than 5 percent of manufacturing businesses invested in encryption or port control systems for their networks.

Such data is not conclusive by itself, but it implies that many companies today do not adequately protect their business information. Considering the investment most companies make in information--IBM spends 7 percent of its sales revenue on information systems--it is strange that so many information executives today spend their time just trying to control data processing costs.

I recently heard about two employees whose job it was to destroy documents from "burn boxes"--repositories in which confidential documents are placed to prevent them from ending up in the public trash system.

The employees, who were janitorial-level workers, made a practice of carefully reading each document before throwing it into the shredder. They apparently had been given no sense of the purpose of their job, which was precisely to prevent such casual perusal by people with no need to know.

Information losses can be considered from four viewpoints:

* the circumstance of loss or exposure

* the identity of individuals stealing, destroying, or observing the information

* the medium (mental, written, or electronic) involved in the loss or exposure

* the value of the information

Consider some actual cases:

Case 1: the inside job. During labor contract negotiations, managers of a brewery in the United Kingdom were surprised to find that union negotiators knew details of the company's financial situation and business plans. The brewery traced the information leak to a data center employee who had been taking printed reports home. The employee had found a customer for the information--the union--and had been making additional income by delivering copies of certain business reports.

Circumstance: purposeful exposure by an insider.

Identity: trusted insider.

Medium: printed report.

Value: high subjective value.

Was there an active program in effect to identify valuable information and train employees about how to handle and protect it? Were supervisors aware that information processed was private to the company? Did anyone check employees leaving the building to see what they might be carrying out?

Case 2: electronic leaks. An engineering employee at a well-known computer manufacturer used his network connections to compile a detailed technical description of a new product. A portion of the material was then published in a technical journal, exposing the company's sensitive strategic thrust.

Circumstance: insider passes information to an outsider.

Identity: trusted insider.

Medium: information in electronic form.

Value: high subjective value.

Did the network have sufficient security for the information files that were accessed to assemble the description? Was the originator of the description aware of the data's sensitivity? Had management made clear that such distribution of strategic technical data was regarded as a serious breach of regulations?

Case 3: leaving no trail. A clerk taking telephone orders for "ABC Corporation," a wholesome distributor, discovered the orders could be placed, without her being identified as the originator, for a false address by passing information to an accomplice on customer credit. The clerk's boyfriend rented a truck and picked up orders set up on the warehouse dock. In several months, the two stole thousands of dollars worth of merchandise.

Circumstance: insider passing data to outsider.

Identity: trusted insider and untrusted outsider.

Medium: verbal information via telephone.

Value: moderate subjective value.

Were customer credit records properly controlled? Was clerk record access justified and the transaction recorded?

From these cases we see that information loss or exposure resulted from two common failings. First, management had not identified or had not provided suitable protection for valuable information. Second, employees were not properly screened, trained, or motivated.

Up to Par

We know that quality information is essential to businesses today--but what, in fact, is it?

Quality information is information that meets management requirements for integrity, reliability, and privacy. These characteristics are achieved through the proper management and control of the information resource.

Specifically, quality information results when the following goals are achieved:

* Information is properly identified, classified, and managed as an important resource.

* Information systems and manual information procedures are correctly designed, installed, maintained, and audited.

* Employees are suitably trained and supervised.

* Controls and separation of duties are established that are appropriate to the information's value.

* Information security is provided based on established policies covering classification and handling.

Ensuring that quality information is provided for business operations is not, therefore, a one-shot deal or cursory effort. Rather, it is a result of carefully planned management efforts that involve almost all aspects of business operations.

Information Directives

Managing information is a broad, high-level responsibility involving strategic planning. And management must create a structure of information directives to ensure its control.

The highest-level directive of this kind is an information policy. This document briefly spells out management requirements for identifying and controlling valuable information. The policy should cover all important aspects of the subject matter. Most of the ineffective policies I have seen failed because management did not recognize that all information--not just computer-processed information--must be protected. The same data often appears on both typewritten reports and computer printouts. What value is gained by protecting one and not the other?

Limit the policy to permanent requirements. For example, a policy statement that says, "All company classified information shall be marked and protected from exposure, loss, and unauthorized change" is a valid policy requirement. But a statement that reads, "Only opaque number 10 envelopes shall be used to transmit company classified memos" is not.

An effective policy includes these characteristics:

* It is published, promulgated, and given visible support by top management.

* It covers all the permanent requirements of management concerning the subject matter. It does not include operational details that may vary from time to time or from one operation location to another.

* It meets the tests of longevity (it should seldom if ever need to be changed) and observance (people know about it and follow its prescriptions).

Information being an intangible, many employees find it difficult to understand why managing it is important. Furthermore, the steps leading to management control of--and the legal rights to--information are often tedious in terms of daily business operations. For these reasons, writing a sound policy is essential.

Policy Contents

In most companies, the information executive and his or her staff prepare the information policy. Subjects covered include the importance of information to the company, company classification nomenclature and definitions, and the responsibilities of key employees, including the executive information manager.

The policy should also state requirements for the marking, handling, and availability of company classified information, defined for each company classification type. These requirements should cover paper handling, data processing, and telecommunications. Finally, the policy should include a glossary of terms.

Not everything can be protected effectively. A careful analysis of what is really important can provide better security and reduce the cost of protection.

In the 1960s, the US Strategic Air Command decided that having guards and fences around its air bases was not necessary. Every test attempt at penetration showed that fences kept out only one's friends.

The Strategic Air Command then decided to place guards only around what was important--the airplanes, hangars, and critical supplies--and not worry about people coming over the fences. This measure actually increased the level of security where it was really needed, and it saved money.

For the information resource, we need to take a similar approach--identify the truly critical pieces of information and follow a well-planned program for protecting them. Classification is an essential step in this process.

In a typical business today, probably only 10 percent of all information should be classified. Less than 1 percent of all information should be at the highest classification level. This tiny fraction represents information available to only a few people, and it should be locked in a safe or encrypted for electronic storage or communication.

The remaining 9 percent of highly valuable information should be classified at a medium level and be restricted to classes of employees needing it to do their jobs. Finally, all information regarding employee, medical, and applicant records should be classified to ensure privacy.

Which is Which?

The first task is to identify which information should fall into which of these classifications. While this decision is always a matter of judgment, a set of guidelines is necessary to maintain some consistency.

Keep in mind that classification decisions will be made by many people in widely varying circumstances. Although responsibility for classification rests with the information owner, practical business operation indicates that these decisions be made on the spot by the information originator, probably following instructions set up by the information owner within company policy.

At Xerox Corporation, the company guidelines for classifying information are the following:

* Xerox Registered (highest classification): information whose improper disclosure could cause serious damage to company operations. Examples: information concerning product strategies and product-related research.

* Xerox Private (middle classification): information whose improper disclosure could have a substantially detrimental effect on company operations. Example: customer lists that would be of value to a competitor.

* Xerox Personal (special classification): information whose improper disclosure an individual might find embarrassing or detrimental. Example: personnel and medical records.

These definitions do not mention information retention or legal requirements, which should also be addressed through classification. However, they do provide practical guidelines for people who must make classification decisions.

A Classification Philosophy

Information should be classified to represent the business requirements for information security and availability and meet legal requirements. These objectives fall into two categories.

"Objective" relates to requirements outside the information itself. Generally, these deal with information retention and conservation, which are most frequently required by law or for historical purposes. This classification is typically marked "retention schedule X"--the X being a number referring to a list showing requirements.

"Subjective" relates to the information itself. Generally, these are requirements relative to the company's need to keep the information private. The business privacy requirement usually results in three information groupings:

* Information restricted to a small group. This category is specified when the information is developed by the originator or top management. This is the highest classification.

* Information restricted to a group of employees, not usually specified by name, who require it to perform assigned tasks. This is the middle-level classification. Special subjective classifications, such as medical records, fall within this group.

* All other business information that may not be released to outsiders without the approval of a manager--typically the information owner or the functional executive with responsibility for the information.

Subjective classification decisions are made in two ways: first, by the owner, who specifies that certain types of information will always be classified at a certain level; and second, by various managers and executives, who must make classification decisions on the spot as information develops. Therefore, all employees must receive training on making classification decisions.

Objective classifications are usually made following published company instructions on records retention or requirements of law.

Another consideration is the concept called "end-of-life." Most information has a fairly short value period. Within a few months, or certainly within a few years, most information has lost all but its historical value. Therefore, it is a good idea to set expiration dates or periods. This can be done as a standard practice, in policy, or by a declassification date. Such practice allows more reasonable destruction practices for records retention purposes and reduces the cost of secure storage for long-term documents and computer records.

Against Classification

People often say, "Why mark something as valuable? It just shows the bad guys what to steal." Such a position sounds reasonable, but it is not based on solid experience or law.

Major companies with notable success in competitive environments know it is necessary to classify information. Without classification, nothing is protected. And they know that to prove ownership of information in court, they must show a real effort to identify valuable data. Classification is the answer.

The procedures used to protect information follow from its assigned classification. The following paragraphs demonstrate that process in an imaginary company, XYZ Corporation, which grows and sells specialized ocean plant life developed through genetic engineering.

Daniel James is a biologist at XYZ who has been working to develop more efficient ways of feeding crustaceans. James believes he has found an important and novel form of plants for this purpose. He has just finished writing a report to the XYZ chief scientist concerning this discovery, using his microcomputer word processing system.

James gets out his regulations booklet and looks up XYZ classification definitions. The instructions say that any new research results that could have product implications are to be classified as XYZ Registered, the highest company classification.

From the computer program's font file, James retrieves the XYZ Registered logo and places it electronically at the top of his report. At the same time, the system sets a flag on the computer record, which will indicate to all other XYZ systems that this is a registered document that must be handled in special ways.

James now sends the document to a printer. Because of the flag, the printer will not produce the printed paper until James arrives and enters his password. When James retrieves the document from the printer, the XYZ Registered logo is printed very noticeably at the top.

At XYZ, all research documents are maintained in a special library. James takes the original document to the library and has a copy made. From now on, no one will be able to get a copy of the document from any source other than the library. Neither James nor any other XYZ employee is permitted to make copies of XYZ Registered documents.

Knowing he will be attending a company meeting in Chicago in a week, James informs the librarian. The librarian will send a numbered copy to the XYZ office in Chicago, and James will pick it up there. XYZ Registered documents are not permitted to be carried off company premises.

Should James wish to send the report electronically over XYZ's networks, the communications server in the network at the laboratory will recognize the security flag and encrypt the data before sending it through telecommunications circuits outside company premises.

Finally, James locks the report in a cabinet with a bar and padlock.

This example reflects actual information policies used by highly successful companies in competitive businesses.

If you have never used an information classification system, you may be saying to yourself, "What a lot of bother!" A word to the wise: Many companies have been financially ruined on discovering they had no redress in court by which they could recover stolen information. They, too, thought protection was too much bother.

Paul Thomas is the controller for XYZ. Most of the financial reports and analyses he deals with are company-classified at the middle level, or XYZ Restricted. Reports are locked in desks when not in use or when the user is away from his workstation for more than an hour.

When a systems consultant is hired to develop analytical tools for microcomputers, Thomas makes sure the consultant has signed a disclosure agreement to protect XYZ in the event the consultant gains access to confidential information.

Thomas regularly checks his subordinates' information handling practices and frequently walks through copy rooms after working hours to check for documents left behind. (The worst exposure comes from copies of documents inadvertently left in copiers by employees and picked up by maintenance workers or casual passersby.)

Thomas also insists that all sensitive accounting reports be clearly marked with the XYZ Restricted logo. His interest in securing information has made the accounting department an example to other departments of the company. Accounting employees know that information is not to be shared with other employees unless the person has a need to know.

Since the daily routine of work is almost always with the same set of people, this refraining from sharing information is not a big problem. Requests for information from outside the working group must be approved by Thomas.

XYZ represents a shining, if imaginary, example of good information management. The firm's employees made classification decisions with learned judgment based on knowledge of the purposes and methods of the company's classification scheme. XYZ's workers acted promptly and consistently and were alert to possible security breaches.

Moreover, every employee (perhaps with the exception of production workers) was required to understand the purpose and methods involved.

Correct classification of company information, resulting in the proper security, is needed if companies are to maintain quality information for business purposes.

James A. Schweitzer is corporate manager of information security for Digital Equipment Corporation in Maynard, MA. Formerly, he was systems security technology manager for Xerox Corporation in Stamford, CT. He is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Schweitzer, James A.
Publication:Security Management
Date:Feb 1, 1989
Previous Article:Conquering computer viruses.
Next Article:Weapons in disguise.

Related Articles
Opening the books.
CLASSIFIED VENTURES: WHAT NCN TAUGHT A NEWCOMER On-line enterprise is owned by three media companies whose fingers are at arm's length

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters