The purpose of information classification
Classification of information has two purposes:
- To increase awareness of the negative consequences that may affect your organisation if adequate protection of the information’s confidentiality, accuracy or availability is not maintained.
- To understand and determine the need for protection of the classified information.
The result of the classification provides an increased understanding of the value of the information and the consequences it would have if the information were to be leaked to unauthorized persons, changed uncontrollably or be inaccessible. However, it is important that protection needs and handling rules are communicated to those who are to handle the information.
Choosing the right security measures
Examples of questions that must be answered are:
- How should the information be stored?
- Can I send it unencrypted in an email?
- If it is to be encrypted, how do I do it?
The classification is also an input value to the risk assessment that determines the need for protection of the information. This provides a basis for choosing the right security measures so that the information does not receive insufficient protection or is overpriced with high costs as a result.