When you implement information security mechanisms, in AiP implementation, for example, you need to consider many technical and human aspects. Improper planning of the implementation can cause both technical problems and improper use of new mechanisms. In both situations, the implementation will not be successful and your information will remain unsecured.
Below are five tips that will definitely help you plan the implementation process. They are a template of conduct that you must, of course, adapt to your organization, business specifics, and users.
Have the right set of initial labels
It’s very important to pick standardized and approachable labels. Business users should understand the meaning of labels and be able to use them naturally.
for example:
- Personal
Non-business data, for personal use only - Public
Business data, that is specifically prepared and approved for public consumption. For example brochure for a team. - General (default label)
Business data, that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company’s internal telephone directory, organizational charts, internal standards, and most internal communication. - Confidential
Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data - Highly confidential
Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.
Have Sub labels for key departments
For example:
for Confidential classification, sub-labels can be:
- Extended Staff
- Full-Time Employees
Data classified as Confidential meant for all full-time employees. business guests are excluded from this scope - Human Resources
- Legal
Data clasified as Confidential, meant for legal related managerial roles - Finance
Data classified as Confidential meant for finance-related managerial roles
and
for Highly Confidential classification, sub-labels can be:
- Extended Staff
- Full-Time Employees
Data classified as Confidential meant for all full-time employees. business guests are excluded from this scope - Project X
Leadership approved special project. Do not share the existence of this project name with others. Contact Jane Doe for details - Human Resources
- Legal
Data clasified as Confidential, meant for legal related managerial roles - Finance
Data classified as Highly Confidential meant for finance-related managerial roles
Create scoped policies for specialized teams
The list of global labels may and should be the same for all employees. You can change and customize only the lists of sub-labels. Permissions may be different in that sub-label and the policy may be different for that team.
Encourage the right user behavior
There are four approaches to getting data classified
- Automatic
When you classify information and apply labels via rules. Automatic classification is good but you shouldn’t expect it to solve all our problems. It’s based on simple rules and you shouldn’t expect too much from it.
- Recommended
When you recommend using some information classification
- Reclassification
When you allow users to change the classification
- User set
When you expect users to classify information manually. If you trust that users will do it right, they will remember and believe that they understand well what they are doing and for what purpose
The best results are obtained by using the recommended classification along with the possibility of changing it. It’s also a good idea to ask the user for the reason for the change. This forces users to think about and consciously make a decision about the change.
Based only on manual classification can lead to a situation where it will not be used.
Automatic classification is a good mechanism to initiate the data classification process. However, the entire information security mechanism should not be based on it.
Safeguard email communication
Use information classification in email communication. You can grant access to information sent by email. You will also have control over its further forwarding and copying.