Classified information schemes sort information into the categories according to its confidentiality. For each category, there is a different level of information protection. Such categorization of information is one of the bases of information security management. Each level (category) is defined by the rules for handling information, and by the permissions to this data, ie only authorized persons can access to and process this information. The information (or documents or tools that contain this information) that belong to a certain category has to be clearly and appropriately marked so that there is no misunderstanding or discrepancy as to the level of classification.
What classified information schemes are there? What about practice?
Classified information schemes are defined at the level of states or international institutions, however, each company can follow its own classification. The ISO 27000 standard can serve as a useful guideline to set up categories, including related processes. This standard says how to classify information according to its value, legal or other sensitivity, and according to the extent to which the information is critical for business operations. Neither the number of levels (categories) of classification, nor the titles of these levels are specified (not in the ISO 27000 standard or anywhere else). The idea or the basic perspective of the classified information schemes is the impact on the existence of the business or on its position on the market. The good practise shows that the most frequent and the easiest form of classification sets out the following categories:
- Protected, Restricted
- Internal use
Such classification is sufficient for the majority of businesses, nevertheless, more detailed classification into 4 categories is also very common:
- Internal use
The personal data protection is on the upswing (see for example GDPR). Therefore, a new category of personal data is likely to be established, or, personal data will enter the highest category of information protection.
At national level, information is classified mainly according to the impact on national security. The following four levels of security are generally used:
- Top secret
The widest range (which is modeled in many other classifications) is the UK classification of data confidentiality:
- Top Secret (TS)
- Compartmented information