Do your workers know what "confidential" means? In today's global economy, effective strategies for safeguarding information can mean the difference between success and failure
When an organization stamps a document "confidential," what do recipients think that means? What kind of direction does that give them on how to handle the potentially sensitive information they work with every day?
With today's technologies, it's easier than ever to make a document, presentation, spreadsheet or video available to anyone anywhere – so much so that someone could send it absent-mindedly, without realizing the consequences until it was too late. This is why it's critical that employees are given unambiguous guidance on protecting documents with proper classification labeling and access control.
Management must have systems in place that protect the sensitive information shared between organizations, employees, and with customers and partners. The goal is for companies to protect themselves across multiple channels and at all levels from the lost revenues, damaged brands, customer churn, jeopardized product development, lawsuits, fines, and other impacts that can result from information accidentally or maliciously falling into the wrong hands.
When a security incident necessitates law enforcement involvement, organizations must have had their data adequately marked and protected, or they will face great difficulty in making their case and achieving a desired outcome.
Looking at today's challenges
Effective security is only established and maintained through people, processes, and technologies working in concert. Security needs to be proactive, rather than reactive. At the C-level, executives are viewing information as a significant asset that must be managed with systems in place to control workflows. Organizations can no longer afford "aspirational" systems for classifying data and controlling access. They need real ones–and soon.
Security threats can come from any point in a business' ecosystem of internal and external contacts. Hackers may get the most attention, but the majority of breaches originate from inside the organization and are accidental or malicious in intent. It's not just the employee with a grudge or a job offer from a competitor. Even well-meaning employees and partners can and do fail to protect sensitive data appropriately. They may post information in too many places–including internal blogs, social networking applications, and wikis–some protected, most not. They may send materials to another part of the company, unaware of restrictions on cross-border or cross-section data flows. They may also share information with suppliers and distributors, not knowing where to draw the line between information that should and should not be shared under non-disclosure.
At the same time, employees and IT groups can't reconcile or consistently adhere to the sometimes conflicting requirements of data owners, data users, applications, systems, and different regulatory frameworks. This is why establishing proactive controls and processes while educating staff throughout an organization are critical.
Meanwhile, security managers are always playing a game of catch-up because data proliferates so quickly that they can't destroy it. Simply trying to find and control important data often proves futile. Security starts off at a disadvantage: often, they are trying to control what they don't own. The business unit typically owns the data, not IT. The business unit knows what is considered sensitive and what isn't–so to succeed teams in Security, IT, and the line of business need to work together. And some of the information IT must protect doesn't even belong to the organization: it comes from a business partner and has its own confidentiality provisions.
Information ownership can be a thorny issue. In forging business partnerships, legal teams now spend a lot of time – in some cases, a year or more – spelling out agreements for marking data that passes between the different entities. For some multinationals, sharing information between regions can present an insurmountable barrier. Some are even considering leaving data in its country of origin to circumvent regulatory issues, or anonymizing the data in some way to move it to another location where senior management can access it.
The new "confidential:" information classification
The first step in protecting sensitive information is to establish a basic system of marking information. Whether it's called information classification (IC), sensitivity classification, sensitivity labels, or even data classification, it's a short list of tags or labels that convey two pieces of information: the sensitivity of the material and its intended audience.
Most companies have data classifications in place. Too often, they're described in a policy document that only a few people have read. Organizations now understand the need to align IC strategy with business processes and implement it in technical infrastructure, but they often don't know how.
Best practices: Moving from aspiration to implementation
When designing an IC strategy, keep it simple. The more complex an IC strategy is, the lower employee compliance will be. An IC solution has to be clear, unambiguous, and easy for employees to adhere to. The following suggestions can help in designing an IC solution and are best practices gleaned from years of consulting on information security.
Share information responsibility
Any successful IC policy has to be designed and implemented as part of a cooperative effort that engages technical, business, and legal teams. Only this way can an organization be sure that the resulting system will be supported by its technical infrastructure, help ensure the right people have access to the information they need, and help protect the business in case of breach.
Restrict the number of categories
Some companies use a binary IC system: information is either public or not. This is too simple and doesn't address the complexity of the business ecosystem. On the other hand, a system so complex that it's reminiscent of military specifications may seem like it covers all bases, but in practice won't work because people won't be able to regularly manage it.
Labels need to be specific but not too granular, so that a document owner or auto classification system can readily determine which one should apply to a piece of information. Organizations may also want to establish a default label for documents, which might vary from one department to another. Fewer than 10 classifications, plus extra ones for special projects, should be enough for most companies. See the sidebar for some category suggestions.
In general, putting documents into raw buckets that help distinguish data with a high-impact or low-impact on the business is a primary goal. Then the focus can be directed to protect the information that poses the greatest risk to the organization, if a data breach occurs.
A color coding scheme tied to these labels can help users remember which are the least and most confidential of the classifications, with a spectrum from green (public), through blue, yellow, orange, and red (private, insider restricted, and similar highly restricted categories). Some organizations choose to color the label or even the entire cover sheet or background of a sensitive document.
Regardless of the number of labels or the color schemes, organizations must ensure it's easy for employees to apply labels with just a few clicks of a mouse. A basic system like this helps businesses classify information as part of an information risk management strategy. It also helps organizations take corrective action internally or legal action if a breach occurs, because it enables the company to prove that the defendant knew the information was restricted.
To enforce access restrictions on labeled information, make sure file servers, portals, and content management systems are tied to the directory of users and their corresponding access privileges. Directories such as Active Directory or LDAP are a good place to store the group membership information, especially when they contain organization reporting structures and/or roles as part of the group member lists.
Employees don't always know which other employees have the same data access privileges they do, so they might accidentally send materials to the wrong people. But when they're working within a directory-based access restriction system, such as rights management, they only need to specify the IC policy label and click on a few other choices to ensure a document gets to everyone who needs to review it, and nobody else. This is not only more accurate–it's easier for employees, which means they're more likely to follow the process.
Most organizations already have templates for different types of materials, such as presentations, spreadsheets, and documents. With a few modifications, those templates can support IC, so that they include background information on different target audiences and display the IC level on each page or slide. This helps remind people of the sensitivity of the information under discussion.
Organizations can set up content management or and rights management to automatically watermark documents. IT can hook watermarking into existing access control lists, so that the system applies watermarks as documents are checked in or out. Applications are available that allow organizations to set policies that overlay watermarks at viewing time, so that the viewer sees an overlay with the current document classification, date, and name of the viewer.
Some applications can restrict printing rights, but if an employee can and does print a document and it ends up in the wrong hands, it will be easy to track it back to the person who printed it out. Plus, when employees know that a printed copy of a restricted document has their name on it, they are likely to be more careful about protecting it than they otherwise might.
Prepare for turnover
Employees move on, and organizations have to ensure they don't take valuable information when they go. An excellent example of secure management of turnover is Fluor, one of the world's largest publicly owned engineering organizations. With 17,000 active stakeholders at any one time, and cyclical, contract-based operations, it set up an automated infrastructure specifically to provide and remove access to information as appropriate. When employees leave the company, the system denies them access to classified documents–even if these documents have already been downloaded to a home computer. Fluor has even set up scenarios to detect patterns and initiate lockouts when an employee might be downloading bulk information just prior to leaving the company. In addition, its system sets limits on how long certain documents are available to recipients.
Build security into the document
Security approaches that focus only on document storage and transport are limited. Ultimately, organizations should aim to have security reside within a document, to protect it as it moves through its lifecycle inside and outside the organization.
This is possible with today's technologies. For instance, financial and government organizations are gaining better control over information by using Adobe Portable Document Format (PDF) files that include built-in controls to limit who can open and print materials or how long recipients can access materials. The PDF files also contain tracking to show who received materials and if the files were opened.
Enterprise rights management, using products such as Adobe LiveCycle Rights Management ES, can persistently enforce a security classification throughout its lifecycle. Information Classification labels can map to enforcement policies that protect PDF, native Office documents, native CAD files, and video. After a protected asset leaves the secure storage or transport mechanism, the information remains persistently protected. For example, if a document is forwarded to someone internally or externally who shouldn't have access, the file won't open. Many rights management schemes not only control who can open each document and what they can do with them, but also provide expiration, version control, revocation, and auditing.
A recent survey of information security staff asked them how they spend their time and how they think they should be spending it. There's a significant difference: staff spend their time analyzing and fixing breaches–but they think they should be training employees instead.
Because figuring out the cause of the latest breach is often the top priority, training doesn't always get enough attention. But as the vital missing link between aspiration and implementation, training offers the best return on an organization's security investment. New employees and existing employees need orientation and tune-ups that clarify why IC is important and how to use it. At the end of the day, security is about changing the way an organization does business–and this requires training employees to think and act differently.
Drive process and governance
Beyond education, creating and enforcing an internal process empowers key stakeholders to make a concerted effort to establish controls over information. Once an information classification and risk management program is in place, the results need to be policed by internal champions. For instance, after "hot spots" of sensitive information are found and recorded, the Security and
Compliance departments should follow up to determine where risks reside and hold leaders in the line of business accountable to reduce exposure. A continuous improvement program that tracks and monitors groups and the relative risk posed to the corporation through sensitive information assets is an effective way to police the system.
Simplicity is key to security
Business managers know that information can be one of their greatest assets, and that without control, information assets are at risk. This understanding is shifting the focus of security from layered protection and information structures to asset and information risk management. Effective security requires companies to control proliferation and embed security into information so that the asset largely manages itself, helping to lift the burden of compliance solely from employees and reduce risk to the business.
Companies can now define an intuitive set of information classification categories, embed them in templates, tie them to directory infrastructure, and implement various kinds of automated watermarking. This needs to be done right away–and then companies can move beyond this basic level and embed security directly in documents to restrict viewers' rights to print, modify, copy and paste, or view at another time.
An effective IC enforcement system must be enterprise-wide. This means that organizations need to ensure their IC solutions can apply to documents created anywhere in the company, independent of document content and regardless of state (whether the information is at rest, in motion, or in use.) The solution should leverage standards-based technologies such as PDF so that partners and customers can comply without having to adopt additional software programs.
And that is just the beginning. An effective IC strategy must appear simple to use by employees and partners, but be backed by powerful, proven solutions. An easy-to-use system helps employees classify materials correctly and consistently. Then, behind the scenes, their classifications of documents activate data security embedded in the document, so that even if it somehow falls in to the wrong hands, it won't be accessible. This user-friendly, technically sophisticated approach can balance a company's need for infallible security with the reality of how employees work.
Example classification levels
Here are a few recommended labels that can be a starting point for organizations to customize further. Many companies choose to prefix the labels with their company name (XYZ) so recipients know it's the organization's own system of classifying documents.
XYZ Public. Documents that are for public consumption. People assume a document without a label is public.
XYZ NDA Confidential. Documents that should be viewed only by recipients with a non-disclosure agreement.
XYZ Employee Confidential. Documents that should be viewed only by recipients who are employees (full or part-time). Some companies create separate tags for full-time and part-time staff.
XYZ Insider Restricted. For publicly held companies, this category would apply to sensitive information that cannot be disclosed externally or to the general employee community.
XYZ Management Restricted. Documents that should only be viewed by the senior management of an organization, and not the general employee community.
XYZ Board Restricted. For publicly held companies, with electronic "board books" this classification designates the board of director community.
XYZ Private. Documents that include health, financial, or any other private information that could identify an individual.
XYZ "Project." For strategic alliances or mergers & acquisitions, additional classifications should be created specific to that project. Use a codename for this category so that the existence of the label does not expose the project itself.