By Stephane Charbonneau
“We’ve had a classification policy for 30 years, but we’ve never been able to enforce it.”
1. Create a simple information classification policy
Whether your organization already has a classification policy, or is just defining one now, it’s best to start simple. Many organizations use three categories:
- -A category such as “Public” to indicate non-sensitive information
- -An “Internal” category for information that should stay within the organization
- -A category such as “Confidential” or “Restricted” for information that is particularly sensitive
The easiest way to get users to classify their email and documents is to make classification part of the user’s workflow. So when a user sends an email, or saves a document, you can prompt them to classify. By integrating the classification process into the desktop application, the classification process is simple and intuitive to the user.
3. Create and deploy a common configuration
Your next step is to define a common configuration across your user community. Here are some areas you will need to configure:
- -The names of your classification labels/categories
- -Whether you want to force users to classify or provide defaults
- -Whether visual labels will be displayed within the emails and documents
4. Get the users involved: start classifying and adding metadata
After you deploy the classification software and the associated configuration, users will have a new classification interface in their desktop applications. This interface will let them identify the sensitivity of their information, helping to share the responsibility of corporate security across the organization, rather than simply relying on the IT department to identify and protect the information.
Many organizations choose to prompt their users to classify every email and document. This causes users to stop and think about the sensitivity of the content, which fosters a culture of awareness and engages users in the organization’s information security strategy.
5. Evolve information controls over time
With your users now classifying their email and documents, you are ready to start enforcing policies based on those classifications. You have several options for leveraging the classifications for policy enforcement:
- Take advantage of policy enforcement within classification software itself. For example, warn users when sending internal email to external email addresses. This type of policy enforcement is very effective because it prevents data leaks before the information leaves the desktop, and provides targeted security education to the user.
- Automatically apply information rights management (IRM) and encryption. By using classification as a front-end to encryption and IRM solutions, organizations can automatically apply encryption, digital signatures, or rights protection based on the classification. Users do not need to understand the encryption or IRM technology; they simply select a classification and the appropriate protection is transparently applied.
- Leverage classification metadata with downstream solutions. Other technology solutions can make use of the classification metadata that is created when users classify a document or email. For example, a DLP solution can read the metadata on a document to determine if a user should be allowed to copy the data to a USB drive. A records management system can use the metadata to determine where to store a document and how long to retain it. And a perimeter security solution can read the metadata on an email to determine if it should be encrypted at the gateway.