Information Classification: Who, Why, and How

A February 2003 SANS whitepaper titled “Information Classification: Who, Why, and How” by Susan Fowler, explores the questions surrounding information classification.

Why Information Classification is needed-

  • not all information has the same value
  • not everything needs to be protected or restricted) in the same way
  • to gain clarity on the importance of a particular byte information
  • to create clarity on access controls for each bit of information

How is Information Classification implemented?

1. Identify all information sources

2. Identify information classes

3. Identify information protection methods

4. Map information protection methods to information classes

5. Classify information

Who requires their information to be classified?

  • Legal entities
  • The Military
  • Businesses and the Private Sector


Fowler, S. (2003). Information Classification: Who, Why, and How. Retrieved from