Digital information – det allra viktigaste vi har

How do you protect your most valuable asses – your digital information? Learn more about why it is so important to protect your digital information and how you choose the right security measures.

Digital information – your most valuable asset

Information is today a basic building block in an organization, in the same way as employees, premises and equipment. Information expresses knowledge or message in a concrete form. We can communicate information, we can store it, we can refine it and we can control processes with it – we simply need it for most of what we do.

Information is therefore in many ways the most important thing that a business or a company has – it is simply worthy of protection.

Information needs to be protected

In order for us to be able to trust the information and to avoid it being leaked, manipulated or otherwise corrupt – we need to make sure to protect it. Information security and cybersecurity are above all about preventing information from being leaked, distorted and destroyed. It is also about having the right information available to the right people, and at the right time. Information must not fall into the wrong hands and be misused. There are different solutions for protecting your network and your information. For example, there are data diodes, security gateways, and firewalls. However, there is not one right solution that fits everyone – what solution you need depends on what kind of information you are protecting and how you need to use your information.

Information classification helps you choose the right protective measures

Information classification means that the organisation’s information is evaluated on the basis of what consequences insufficient protection for the information’s confidentiality, accuracy and availability could have. Examples of questions to consider are:

• What could the consequences be if the information becomes available to unauthorized persons (Confidentiality)?
• What could the consequences be if the information is manipulated or destroyed (Correctness)?
• What could the consequences be if someone (who is authorized) does not have access to the information (Accessibility)?

Information classification is not something that only happens once. On the contrary, it is important to regularly check that the classification still applies. This is because the value of the information for the organisation can change over time and the classification should therefore be reviewed annually as part of the organisation’s information security work. When developing, doing major changes or when you plan an acquisition of new IT systems or other resources that handle information, you also need to ask the question whether the classified information can be defended in, for example, a new IT system. Classification is also an important input in setting requirements for new purchases.

The purpose of information classification

Classification of information has two purposes:

1. To increase awareness of the negative consequences that may affect your organisation if adequate protection of the information’s confidentiality, accuracy or availability is not maintained.
2. To understand and determine the need for protection of the classified information.

The result of the classification provides an increased understanding of the value of the information and the consequences it would have if the information were to be leaked to unauthorized persons, changed uncontrollably or be inaccessible. However, it is important that protection needs and handling rules are communicated to those who are to handle the information.

Choosing the right security measures

Examples of questions that must be answered are:

• How should the information be stored?
• Can I send it unencrypted in an email?
• If it is to be encrypted, how do I do it?

The classification is also an input value to the risk assessment that determines the need for protection of the information. This provides a basis for choosing the right security measures so that the information does not receive insufficient protection or is overpriced with high costs as a result.