Five Easy Steps for Implementing a Classification Policy
Stephane Charbonneau

“We’ve had a classification policy for 30 years, but we’ve never been able to enforce it.”

Does this quote sound familiar to you? It’s very common for organizations, especially in the commercial space, to have a classification policy but no way to implement it. Instead, organizations often move directly to the data protection stage, investing in large infrastructure projects such as Data Loss Prevention (DLP) and Information Rights Management (IRM). But without classification as the foundation of their information protection strategy, it’s impossible for organizations to know what to protect.

Fortunately, implementing a classification policy is really quite simple. Here are five recommended steps for implementing a classification policy:

1. Create A Simple Information Classification Policy

Whether your organization already has a classification policy, or is just defining one now, it’s best to start simple. Many organizations use three categories:

  • A category such as “Public” to indicate non-sensitive information
  • An “Internal” category for information that should stay within the organization
  • A category such as “Confidential” or “Restricted” for information that is particularly sensitive

2. Enable Classification Within Current Desktop Tools

The easiest way to get users to classify their email and documents is to make classification part of the user’s workflow. So, when a user sends an email, or saves a document, you can prompt them to classify. By integrating the classification process into the desktop application, the classification process is simple and intuitive to the user.

3. Create and Deploy A Common Configuration

Your next step is to define a common configuration across your user community. Here are some areas you will need to configure:

  • The names of your classification labels/categories
  • Whether you want to force users to classify or provide defaults
  • Whether visual labels will be displayed within the emails and documents

At this stage in your deployment, it is best to keep the configuration as simple as possible. You can add additional policies and options in the coming weeks and months, as users become used to the classification process. Doing it this way reduces the amount of testing and training required for a successful rollout.

4. Get the Users Involved: Start Classifying and Adding Metadata

After you deploy the classification software and the associated configuration, users will have a new classification interface in their desktop applications. This interface will let them identify the sensitivity of their information, helping to share the responsibility of corporate security across the organization, rather than simply relying on the IT department to identify and protect the information.

Many organizations choose to prompt their users to classify every email and document. This causes users to stop and think about the sensitivity of the content, which fosters a culture of awareness and engages users in the organization’s information security strategy.

5. Evolve Information Controls Over Time

With your users now classifying their email and documents, you are ready to start enforcing policies based on those classifications. You have several options for leveraging the classifications for policy enforcement:

  • Take advantage of policy enforcement within classification software itself. For example, warn users when sending internal email to external email addresses. This type of policy enforcement is very effective because it prevents data leaks before the information leaves the desktop and provides targeted security education to the user.
  • Automatically apply information rights management (IRM) and encryption. By using classification as a front-end to encryption and IRM solutions, organizations can automatically apply encryption, digital signatures, or rights protection based on the classification. Users do not need to understand the encryption or IRM technology; they simply select a classification, and the appropriate protection is transparently applied.
  • Leverage classification metadata with downstream solutions. Other technology solutions can make use of the classification metadata that is created when users classify a document or email. For example, a DLP solution can read the metadata on a document to determine if a user should be allowed to copy the data to a USB drive. A records management system can use the metadata to determine where to store a document and how long to retain it. And a perimeter security solution can read the metadata on an email to determine if it should be encrypted at the gateway.

By following these five steps to implementing a classification policy, you will have established the foundation of an effective information protection strategy. Your users will become critical partners in identifying and protecting your organization’s valuable information assets, all for the investment of one simple click.

Stephane Charbonneau is Chief Technology Officer at TITUS. His background as an IT Security Architect helps bridge the gap between customer requirements and the product suites offered by TITUS. Steph has gained significant experience over the past 15 years working with large international organizations in the public and private sector. He worked as senior architect at a major US financial institution and in several Canadian federal government departments. He has delivered specialized Entrust training courses to Fortune 500 enterprises around the world and had the opportunity to meet and work with many of the top public key infrastructure (PKI) and security specialists on the planet.