Security

Information Classification

Information classification within an organization means deciding what level of user is allowed access to any data sent internally and externally. Data that enters a system without information classification is automatically assumed to be Top Secret. The Top Secret classification minimizes the number of people who are able to see the information, so important policy changes or updates will not be viewable to all of the necessary users. Also, the cost to encrypt and authenticate Top Secret level information is substantially higher than the cost to classify information for internal use only.

On the other hand, if information enters the system with a low level classification, and this data contains confidential information such as employee reviews, all of the employees with email access will be able to read the reviews of their peers. Other information contained on reviews, such as salaries or disciplinary actions, will also be viewable by everyone. This can lead to an organizational nightmare. The types of information classification currently used depend on the organization. Government offices use many types of information classification due to the variety and nature of the data gathered.

A concern in information classification is where an authorized employee will be able to view the information. Will the employee be able to view the data on their cell phone? Will the employee be able to view the information on a home computer or laptop? The environment in which the information may be open in is a great concern. Allowing a document to be opened on a cell phone, for example, means people standing or sitting near the recipient may be able to see Top Secret company data or view a username and password. The same holds true for home computers and laptop computers. Taking these scenarios into consideration when determining what information classification to assign data as well as what type of encryption and authentication to use are important steps that need to be taken well before any data is released for viewing.

At present, IP v4 transmits all information as clear text. Email servers are either POP3 or SNMP and both receive email in clear text. Clear text is not scrambled or encoded in any way; therefore, senders and receivers must be authenticated through protocols. Protocols are instructions telling the server to open information only if certain rules are followed. Encrypting information means writing a protocol that requires the recipient to enter certain critical information to access the data received. Once the correct information is entered, the server will recognize the sender as well as the recipient, authenticating both parties, and the data will be displayed.

Information can be hijacked or hacked into if it is encrypted incorrectly or lacks proper information classification. Private data such as usernames and passwords may be easily seen by other network devices that may be able to intercept and view packet data. SNMP v3 is regarded as one of the most secure encryption and authentication servers on the market. Unfortunately, it will take time for all network devices to become compatible with it as a standard.

Storing information is another concern that involves information classification. Many companies are choosing to store data on external cloud drives to save memory space within their networks, but caution must be used when storing sensitive information. The cost for storing information varies on the storage device as well as level of information classification. The cost to store data with a classification of Top Secret or Highly Classified is higher than that of data with low or no classification. Deciding where, what, and how to store information should always be a priority.

Leave a Reply

Your email address will not be published. Required fields are marked *