3rd December 2013
A methodology for properly classifying information risk is the first rule of designing an effective supplier assurance programme. It may sound obvious but in practice not many organisations do it. Fewer still do it well. But unless your programme is based on a clear understanding of the value of the information you have stored, along with your regulatory obligations, it is very easy to end up with a one-size-fits-all approach that treats every supplier the same.
Here are some essential guidelines, which will help ensure information is classified correctly.
Proper classification forms the foundation from which you can start to identify which suppliers represent the greatest risk to your organisation’s information assets.
When drawing up a checklist the first task is to decide what information is most sensitive to your business and what is mandatory to protect from a regulatory standpoint. You then need to look at which information is shared with suppliers. Suppliers should be assessed against this short checklist to establish the type and volume of information they handle on your behalf. You need to know what they have of yours that has value and who they are in turn sharing it with.
This will enable you to audit all suppliers quickly and produce a rank ordered list of suppliers by information risk. You know which ones have the most sensitive information and you are able to treat them differently according to their merits. All information, regardless of its classification, should be protected from unauthorised alteration.
Classification of information broadly falls into three main categories (but can be as granular and specific as the organisation deems necessary):
The next set of classification guidelines relate to how information should be handled and protected. Each information category has separate handling and protection rules, which are the responsibility of the risk manager and/or information/data security manager to enforce. All confidential information stored on the company’s IT systems has to be protected by strict access controls to ensure it is not improperly disclosed, modified, deleted or otherwise rendered unavailable. These rules extend to prohibiting employees from recording or sharing the information in any way, via any medium. Even access to any office, computer room or work area where confidential information is stored must be strictly controlled. The handling and protection guidelines govern all stages of a digital asset’s lifecycle from its creation and storage, through to its eventual deletion.
The final set of procedures relate to how information is labelled to ensure it is handled in line with its assigned classification and apply equally to physical and electronic assets. For every classification type there are prescribed processes covering copying, storage – whether by post, fax, internet or e-mail – and end-of-life.
All outputs, whether printed reports, screen displays, recorded media (tapes, disks, CDs, DVDs, cassettes), or electronic messages and file transfers, relating to confidential information must be appropriately labelled to reflect its classification according to the rules that have been agreed. Physical labels are perfectly adequate in the majority of cases. But some information assets, such as documents in electronic form, cannot be physically labelled and therefore some form of electronic labelling is needed. If possible all printed confidential documents should be given a clear sensitivity label on the bottom right-hand corner of each page or a watermark that indicates the sensitivity classification.
Information classification helps employees to understand the relative value the organisation places on different parts of the business. Once information is classified you can draw up a list of guidelines that dictate what can be done with each category of information – both internal and external to the organisation. Those with the highest rating will be most restricted – only a privileged few will be allowed to see it – while those with lower ratings will be more universally accessible. This must be well communicated to employees and assessed for understanding within the organisation.
When applied to a risk assurance programme it allows you to distinguish between suppliers so you can focus your efforts on those suppliers that represent the greatest risk to your organisation – according to the classification rating you have put on the information you are sharing with them or that they have access to.