When you read books on security, at some point the importance of classified information systems is covered. These typically look at Mandatory Access Control in the context of military classifications, such as top secret, secret, for official use only, and sensitive but unclassified. While the existence of commercial classification systems in use outside of a government context may be mentioned, it’s not as common to see a commercial information classification system presented.
In this article, I shall present to you a commercial information classification system that you can use to help plan your web application’s security standards based upon information sensitivity considerations. It is the system that I have developed for use with my own clients and have presented on publicly as part of my series on how a Ruby developer can help prevent a data breach.
The role of security
The role of security is to protect the confidentiality, integrity, and availability of data and information resources. Confidential information is protected by reasonable technical security countermeasures, also known as technical security controls. To choose appropriate security countermeasures requires a detailed threat model and to do so means a comprehensive understanding of the nature of the information handled by the system. For this purpose, it’s vital to have a classification system as a fundamental planning tool.
Commercial Information Classifications
- Public: Public information
- Internal Use: Confidential business information
- Sensitive: Personal and Private Information (PII), information that THE LAW considers confidential
- Highly Sensitive: Encryption keys, server secrets, staff/admin passwords
All too often, business owners and startup founders think they can choose the level of security for their applications. But the truth is that only the first two categories, Public and Internal Use information fall within their discretion. Above the yellow line, you have some wiggle room. Between the yellow and the red line is the uncanny valley of personal information and below the red line, enhanced security countermeasures are highly advised.
Most business information is Internal Use, most customer data is Confidential, unless it is legally defined as PII and then it is Sensitive. Encryption keys and staff passwords are Highly Sensitive.
Another Information Classification System
The Georgia Institute of Technology has a slightly different, four tier classification system. It’s worth reading about and helped me as I developed my preferred classification system.
The term data classification used in this guide should not be confused with the practice of handling or working with “classified data” (e.g. Government Classified data). Georgia Tech classifies all data into one of four Data Categories.
- Category I — Public Use: This information is for general public use such as the Institute’s Web site contents, press releases, and annual reports.
- Category II — Internal Use: Information not generally available to parties outside the Georgia Tech community, such as directory listings, minutes from non-confidential meetings, and internal intranet Web sites. Public disclosure of the information would cause minimal trouble or embarrassment to the Institute.
- Category III — Sensitive: This information is considered private and should be guarded from disclosure; disclosure of the information may contribute to financial fraud. Disclosure may also violate state and/or federal law.
- Category IV — Highly Sensitive: Data which must be protected with the highest levels of security, as prescribed in contractual and/or legal specifications.
Further reading on Georgia Tech’s policies on this, refer to these source documents that are available publicly.
- Data Access Policy (gatech.edu)
- Data Security Classification Handbook (gatech.edu)
- Data Protection Safeguards (gatech.edu)
Securing a web application as part of a comprehensive information security policy is really hard. But without understanding what data your system handles and what security countermeasures are appropriate or needed, then chances are that the system will not be as secure as it needs to be against the threats that it faces.
While you don’t have to use my classification system, but you do need to use a system consistently.