A February 2003 SANS whitepaper titled “Information Classification: Who, Why, and How” by Susan Fowler, explores the questions surrounding information classification.
Why Information Classification is needed-
- not all information has the same value
- not everything needs to be protected or restricted) in the same way
- to gain clarity on the importance of a particular byte information
- to create clarity on access controls for each bit of information
How is Information Classification implemented?
1. Identify all information sources
2. Identify information classes
3. Identify information protection methods
4. Map information protection methods to information classes
5. Classify information
Who requires their information to be classified?
- Legal entities
- The Military
- Businesses and the Private Sector
Reference:
Fowler, S. (2003). Information Classification: Who, Why, and How. Retrieved from https://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846