Gartner clients have a lot of questions about the topic of data classification. It is a primary concept that has long been enshrined in the canon of computer security, yet in practice, it remains a concept that is impractical for the majority of non-military organizations to successfully apply.
In 1998, information security pioneer Donn Parker wrote in Fighting Computer Crime “All too often, organizations end up adopting a three- or four-level classification scheme with vague definitions of information sensitivity, then fail to apply it consistently or update it as the information sensitivity changes.” (p.20) 15 years later, this observation remains more than current. While he does say that classification can work for highly-motivated organizations, it is not one of the major themes of this fascinating and still highly-relevant book.
The growing availability of ‘rights management’ technologies, such as trusted viewing, board portals, VDI, and other ‘share your data without losing it’ technologies demonstrate the prescience of Donn’s observation that “we need a new concept of two-level information classification—public and classified….” and the suggestion that this should be supported by “mandatory and discretionary controls for the protection of information, rather than by subjective classification of its sensitivity into arbitrary levels.” (p. 370)
My advice to Gartner clients is that classification theoretically represents a useful way to ensure that security controls are proportional to data sensitivity, and that its primary use should be to facilitate decisions about what NOT to do, as much as what to do. I typically give a canned 2 minute speech on the history of military classification, explaining why that level of effort is not practical for commercial organizations.
For those who are motivated to learn more about the history of the use of classification, the Federation of American Scientists has a very interesting 2002 online essay by Arvin S. Quist, “Security Classification of Information: Volume 1. Introduction, History, and Adverse Impacts”. The most important lesson I took from this essay is that classification is a difficult proposition, even for the people who are hugely motivated by national intelligence, and even national survival considerations. Scheme complexity evolved over time, and not without a great deal of discussion, and even resistance. If NATO struggles with a 5-level scheme, any commercial organization should seriously consider that they likely have little appetite for more than 2-3 levels.
Lately, its become fashionable to criticize Wikipedia. To my mind, the recent controversies only provide evidence that this crowd sourced system does have mechanisms to ensure integrity and validity, and I remain both a financial and cultural supporter. Wikipedia has a lengthy entry on the topic of Classified Information. This article does not delve into the historical context, but does provide a great deal of information about current practice, and includes a table with 88 different national language classification markings, capsule summaries of government classification regimes in multiple jurisdictions, and links to nation-specific entries on classification practices. There’s a great deal of information here for the morbidly curious.
Few corporate IT risk managers will take the time to explore the intricacies of military classification, let alone its history, so let me boil it down for you. The most important lessons to be gained from this historical experience is first that classification schemes provide a vitally important role in aligning levels of effort with data significance, and second, that they are difficult and costly to utilize. Commercial organizations, non-profits, and civilian agencies lack the motivation for a military-style scheme, which is why a growing number of government and non-government entities are choosing a simple Low/Medium/High scheme.
A simple scheme that is reliably used, is infinitely more useful than a granular one that cannot get off the ground.