Digital information - your most valuable asset
Information is today a basic building block in an organization, in the same way as employees, premises and equipment. Information expresses knowledge or message in a concrete form. We can communicate information, we can store it, we can refine it and we can control processes with it - we simply need it for most of what we do.
Information is therefore in many ways the most important thing that a business or a company has - it is simply worthy of protection.
Information needs to be protected
In order for us to be able to trust the information and to avoid it being leaked, manipulated or otherwise corrupt - we need to make sure to protect it. Information security and cybersecurity are above all about preventing information from being leaked, distorted and destroyed. It is also about having the right information available to the right people, and at the right time. Information must not fall into the wrong hands and be misused.
Information classification helps you choose the right protective measures
Information classification means that the organisation's information is evaluated on the basis of what consequences insufficient protection for the information's confidentiality, accuracy and availability could have. Examples of questions to consider are:
- What could the consequences be if the information becomes available to unauthorized persons (Confidentiality)?
- What could the consequences be if the information is manipulated or destroyed (Correctness)?
- What could the consequences be if someone (who is authorized) does not have access to the information (Accessibility)?
Information classification is not something that only happens once. On the contrary, it is important to regularly check that the classification still applies. This is because the value of the information for the organisation can change over time and the classification should therefore be reviewed annually as part of the organisation's information security work. When developing, doing major changes or when you plan an acquisition of new IT systems or other resources that handle information, you also need to ask the question whether the classified information can be defended in, for example, a new IT system. Classification is also an important input in setting requirements for new purchases.
Classification of information has two purposes:
- To increase awareness of the negative consequences that may affect your organisation if adequate protection of the information's confidentiality, accuracy or availability is not maintained.
- To understand and determine the need for protection of the classified information.
The result of the classification provides an increased understanding of the value of the information and the consequences it would have if the information were to be leaked to unauthorized persons, changed uncontrollably or be inaccessible. However, it is important that protection needs and handling rules are communicated to those who are to handle the information. Examples of questions that must be answered are:
- How should the information be stored?
- Can I send it unencrypted in an email?
- If it is to be encrypted, how do I do it?
The classification is also an input value to the risk assessment that determines the need for protection of the information. This provides a basis for choosing the right security measures so that the information does not receive insufficient protection or is overpriced with high costs as a result.
Different solutions for different kinds of needs
The needs for information security can vary depending on the type of business. Read more about our solutions for different kinds of needs.