2nd in a series [ <- previous ]
The first component of the Pan-Canadian Assurance Model to review is the Security Classification of Information.
There are a number of ways that organizations can classify their information. The Pan-Canadian model uses the Canadian Public Sector Security Classification Guideline developed by the National CIO Subcommittee on Information Protection (NCSIP). The guideline is quite straight-forward as its justification is summarized by the following quote:
…when electronic information is shared with external jurisdictions that are not aware of the value or sensitivity of an information asset, it becomes essential that the classification rating be established so that the information protection requirements can be quickly understood, communicated, and acted upon.
Here are the guideline’s information classifications and my interpretations of each:
- 1. Unclassified — Typically publicly available information. A breach, loss or unauthorized modification would not result in injury to individuals or organizations.
- 2. Low — Basic information about an individual, internal administrative systems or the status of a government process. Breaches of Low level information could cause significant injury (in the legal sense) to individuals or organizations including financial loss, service level impacts and/or embarrassment.
- 3. Medium — Medical/health information, an individual’s tax information, trade secrets, identity information that could be used to support fraud, etc. Breach or loss “could reasonably be expected to cause serious personal or enterprise injury” including significant financial loss, legal action, etc.
- 4. High — Cabinet documents, oil & gas exploration data, criminal case information, information on a police informant, etc. If information rated High were breached, stolen or modified without authorization, “extremely serious” injury to individuals or organizations could be expected to occur.
The above provides general guidelines on how information should be classified. It is fairly consistent with classification models I’ve used in the past, and the examples in the guideline are quick easy to understand.
When using this type of guidance, it is important to develop your own examples so that the information your organization manages is used for illustrative purposes. For example, if you manage permits or licenses, be clear as to how that information is classified both during and the permit application process and after it is completed.
Educate your business clients on the guideline. IT staff must NOT make the classification decision, nor should they influence the decision-makers one way or the other. Business owners and ‘information stewards’ need to classify the information. Use workshop settings to uncover information being managed, and use the examples to define information classifications.
It is important to perform information classification activities outside the activity to select security controls. While it is very true that the classification will impact the controls you select, the knowledge that costly or difficult-to-implement controls might be needed must not influence the way information is classified.
Document the classifications — this could be done by each business area, or recorded centrally as an appendix to information classification standards or information management documentation.
The information classifications are mapped to the right most column in the model. This column, titled “Potential Impact of Identification/Authentication Error” will drive the remainder of the identity assurance analysis.
Next: Trust Levels.