Link

now lets try adding some content

Information classification and tagging is one of those problems that every vendor has a solution for but very few organisations seem to have ever implemented a workable solution to. Here is my 2c worth from someone that has been both on the customer side and a bit on the vendor side and i present this to you to make your own judgments and take what works and ignore what doesn’t.

there is no one vendor on the market that has an end to end solution any one vendor that swears they do is betting on you not understanding your requirements

First lets start with requirements, I have written a fair few and reviewed orders of magnatide more, my favourite one that i have a seen and written myself is “Solution must conform to **’s document/information classification and Handel in standard” This is one of those useless requirements that really doesn’t really mean anything but keeps your stakeholders that want a silver bullet for all their problems off your back and helps give justification when working with risk and security architecture teams to ensure that the system isn’t built stupidly. *I don’t have a problem with this requirement** but it doesn’t get us anywhere.

The requirement that i do have a problem with usually reads something like this

  • ”Solution must automatically detect, classify and protect data data according to ’s document/information classification and handling standard”

If you have a Busniess analyst or steak holder that comes with this as a requirement for sign off look for the nearest exit.

The standard/Policy

If you don’t get this right the rest of the process is wasted as if you aren’t working from a solid foundation or you over complicate on your foundation here you may make the next steps impossible.

The best starting point to get some background on these systems is the Wikipedia page on Classifed information. I highly recommend you go read this page now, it a fantastic starting point to understand how governments (some of the most complex ‘organisations’ in the world) have built there systems and how they have adapted over time.

Classification vers Marking

Modifiers and Codewords

This is one of the few things that you don’t see in corporate classification and tagging systems. I first really came across this when the articles around the wiki leaks dipplomatic cables disclosure occured in 2010. This intoduced me to concept of codes as “NOFORN” (No Forigniers) and “NODIS” (No Distribution)

These are modifiers that most large organisations need to better handle there information both internally to better prevent miss classification, over classification as well as cross organisation.

Let met use the Australian banking market as an example as its something i am fimilular with. Quick background, most of the market is dominated by 4 undisputed big banks with the creative name of “The Big 4”. Some of these banks own a number of smaller banks under their banking licence (so they are responsible for them) but are usually run independently. All banks are governed by the regulator APRA.

Ok lets try a little case study here.

Bank A is launching a new banking product and wants to ensure that information related is appropriately able to be shared with the required participants. For this a highly paid executive has given this project the name “Project Yacht” as that’s what he plans to buy once he gets his bonus. The project is being run out of the “Banking” business unit and for simplicity sake let say there using the Australian standard classifications as below

. Top Secret HP . Secret P . Confidential C . Protected GU . Public <— I added this

Executive believes that this product is so amazing that he is already picking out fonts for the monogrammed towels in his new Yacht and wants to ensure that this projects idea isn’t stolen by any other execs or other sub brands of the company. As a result he insists that all documents be tagged Top Secret.

Originally during the initial stages of the project working with this high level of security is ok as there is a small team working on this and most of the project consists of diagrams scribbled in notebooks and and post it notes on a wall in the Executives office. Eventually the project team needs to expand and more formal content starts needing to be created. Requirements documents, legal reviews

Y

«need more here»

How to get this right

Before we go any further lets break down the key steps

  1. Classification
  2. Tagging/labeling
  3. Protection/Enforcment/Encryption
  4. Access Managment
  5. Document Lifecycle
  6. Reporting

Classification

The first thing you need to do with a document is understand its nature. There are 3 main ways we can classify.

  1. On Creation
  2. On Access
  3. Bulk Discovery

On Creation

This is one of the most popular ones, just about everyone has a plugin for Microsoft Office that allows a user to tag a document

On creation vrs on access

Tagging

The first thing you ask any vendor that has a tagging solution is “can your system support multiple tags for the same document” if the answer is No I personally don’t thing you should continue the conversation further. Hint: None of the major ones do.

Do you tag once or multiple times

Protection

First thing to get right here is that you don’t need to encrypt a document to protect it!

Access

Lifecycle

Reporting


Table of contents