13. The classification of information
The reason for the existence of the Information Security Program is to secure Company Information, but to protect something you need to know that it exists and what it is.

The reasons for classifying information are different and well-founded, despite this, it is still a relatively uncommon practice for reasons that are also understandable, which are however easily surmountable and well repaid by the benefits that Information classification brings to the Company:

 - know the information that the company possesses, where it is located and how it is used,

 - quantify the resources needed to efficiently protect and store Company information,

 - significantly reduce the risks of loss, theft or unauthorized disclosure of critical information.


There Information classification is a consistent categorization process in which they are used visual labels, physical for physical documents, digital for electronic ones (also metadata), based on predefined specifications and criteria.

There Information classification may derive from regulatory requirements (eg. GDPR, certifications such as PCI-DSS, ISO-27001) or the need to protect intellectual property (such as industrial secrets, research projects) or, the most common case, the need to simplify and make the Company's security strategy efficient.

The amount of information that is produced increases by 40% every year: managing, storing and protecting them is expensive and increasingly complex.

Not all information is of equal importance for the company, both in terms of necessary protection and conservation over time.

The important information they must be protected and preserved better than the unimportant ones, while those no longer necessary that generate costs and risks for the Company must be eliminated safely and with the appropriate methods.

There Information classification responds to these needs.

To put the Information classification and defining the most suitable categories there are some key questions that need to be answered:

 - What types of information are there? (databases, tables, files, emails, images, documents?)

 - Where is the Information located? (on personal devices, on network shares, on the database, in the cloud, from suppliers)?

 - What is the critical information for the company?

 - Who has access to what information?

 - In which processes, internal and external to the company, are they used?

 - How long should they be kept?

The simplest classification scheme adopted by the majority of companies provides 3 categories:

: document for public use, no restrictions (e.g. product sheets, advertising material, job offers, etc.)

 - Impacts if disseminated improperly: nobody

 - Security measures: none

INTERNAL: document for internal use, must not be distributed externally except under specific conditions (eg strategic plans, budget forecasts, development projects, etc.)

 - Impacts if disseminated improperly: loss of competitive advantage, reputational damage

 - Security measures: training, encryption, DLP (data loss prevention), monitoring, reporting, audit

RESERVED: document with restricted access, accessed only with authorization, must not be distributed externally unless specifically authorized conditions (eg personal data, customers, payment data, sensitive database data, etc.).

 - Impacts if disseminated improperly: penalties, loss of customers, reputational damage

 - Security measures: training, encryption, DLP (data loss prevention), monitoring, reporting, audit

Companies that operate in highly critical situations should automate the Information classification integrating it with the security systems that notify and intervene when situations in contrast with company rules occur (Data Loss Prevention - DLP), such as attempts to send by e-mail or copy of protected documents, unauthorized access attempts.

The operational reality and the security needs of the Company determine the choice of the appropriate level of the?Data Security and Control? which integrates the Security Program of Information coordinated by Fractional CISO.



           to. Discovery / Inventory of Information

           b. Classification



           to. Extraction of information attributes (metadata)

           b. Dynamic use of metadata to protect information


           to. Control of access to information

           b. Monitoring of the use of information to detect any abuse

           c. Data disposal when the company no longer needs it

           d. "Obfuscation" of information with encryption to protect them in case of theft.