Protection of Information Bill and its Practicality relating to Information Classification

A bill was passed in South African parliament today [search Twitter for #POIB or #blacktuesday] which will effectively make it a criminal offence to possess and publish classified information (I wonder if that includes those who are responsible for managing it?). While it hasn’t become law just yet (the bill must still be approved next year), journalists are spelling the end of freedom of speech in the country, which is indeed a very concerning thought.

There are many legal, moral and ethical wars relating to this proposed law going on, but I wonder what the practical ramifications will be, and whether Government will get what they want, or the exact opposite?

Many organisations struggle with the process of identifying, classifying and securing information, so we can expect a government to have a far greater challenge at hand due to its complexity and sheer volume of information. Government processes and systems are often behind cutting edge blue-chip firms, so there is likely to be a wealth of physical, disparate and unstructured information to deal with. The easy choice (either from a KYA or practical perspective) is to deem all information as classified, and indeed I have heard this suggested in organisations too.

This is impractical as the basis for classifying information is to ensure that more sensitive and confidential information is better managed and controlled, and thus less likely to fall into the hands of those that shouldn’t have it. Making everything classified allows more people access to the information asset, and is likely to lead to unsustainable or expensive controls.

The net result in this scenario is that it could be harder to implement the Law as it is easier to get (and leak) the information, resulting in the opposite of what Government is trying to achieve. Throw social media and the relative anonymity of the Internet into the equation, and I struggle to see how this Law can be successful in muzzling those that wish to seek and share information that (insert your political or moral objective here). This should be an interesting item to watch.

As an aside, I am not for the Bill – the pragmatic view is that there will always be confidential information that should remain confidential outside a select few, but in the spirit of democracy and interests of a country you need to have avenues to expose information that citizens need in order to make decisions of future leadership accurately. As with any information classification process, one must ask ‘what is the value of the asset, and what risk are we trying to manage?’ (and perhaps in this case, who stands to benefit?)


LINK: Great blog post on security risk management

A post after my own heart. We need to take a step back and look at the bigger picture when it comes to risk management. What is important, what can go wrong, how can it go wrong, who can make it go wrong? Is it really important? What is the method, motivation and opportunity? Very good read!

Information Class-ed-ification

A poll of information security practitioners might suggest that Information Classification is a task that we all talk about, but that is operationally not feasible in highly complex environments. Based on the apparent practical difficulties in implementing such a policy, it is not uncommon for organisations to try work around this, leaving the draft document to gather dust.

Some of the challenges include:

• Getting people in the business (that understand the information and understand the risks to the information) together to classify information.

• Forcing the myriad of business information into categories such as Classified, Public, Internal, or other.

• Identifying and tagging information based on classification.

• Monitoring a control environment that spans systems, physical locations and nearly every nook and cranny of a business.

I tend to disagree with this approach. The classification of information (i.e. one of the organisation’s key assets) is a fundamental step in determining the risks related to information, and determines the types and levels of control that need to be implemented to adequately protect the information. Everything else hinges off understanding this principle, from implementing layered security, pulling this together into a logical architecture, to preparing for future threats in our changing landscape. If an organisation has a clear understanding of what information they have, who uses it, where it is stored and processed, and what its value is, then the control environment fits properly over and around the people, processes and systems that manage the information. New threats are then exactly that – threats that present different attack vectors that can be easier identified and lend themselves to a (more) quantifiable assessment of risk.

Without a proper information classification process, the following risks become apparent:

• Unsustainable controls: There could be a mismatch between the strength of the controls and the value of the information. Stronger controls require more resources and cost more, so this could mean security budgets are misdirected, or highly sensitive information is not adequately protected.

o In the above scenario what could also happen is too much information is pushed into the ‘highly sensitive’ category which requires these stronger controls. Over time these will become unsustainable and could deteriorate. For example if all databases were in this classification, then all system, application and database administrators may require the top level of access (we know they don’t, but they are sometimes very good at justifying they do!). This results in no segregation between types of information which is pointless. You may as well have few controls that allow the same level of access (which still present a high level of risk of course).

• Silos of controls: Regulation is hitting businesses from all angles. Due to time pressures (or pressures from different parts of the business – legal, clients, COOs) a bottom up approach to plugging the gaps might be forced. This could result in a silo’ed approach to implementing controls. The net result could be layering controls over the same type of information, no single view of what is happening (making monitoring difficult), and in general simply resource wastage.

I would take this problem a step further. In many cases it is difficult to define and implement a security policy without a clear indication of what the business is trying to achieve in the relevant area. Social media is a good example – how you best manage the associated risks will largely depend on the business drivers and strategic objectives relating to social media and networking. So to provide context to an Information Classification policy, there should be an overarching information management strategy. The organisation needs to 1st define the what, why, who, how, when, where’s of information as well as other principles (avoiding duplication, making information accessible to the right people at the right time, etc), before they can determine how best to secure this information. How many organisations have such a policy or strategy document?

As a starting point – rather than trying to classify information based on sensitivity (as per a typical information classification policy), rather identify the information first based on such categories below:

• Transactional

• Employee

• Client Information

• Business strategy

• Marketing

• Financial (reports)

• Risk issues and controls (e.g. audit reports, incidents)

Then devise a set of controls that can be mapped to these types of information. If the correct controls are designed and implemented then the most sensitive information will naturally have stronger controls in place. This top down approach can help with regulatory requirements. I.e. one can define requirements for PCI, POPI, NDA etc, etc and then apply these requirements to the ‘client information’ set (or whatever the case may be).

My last point on this is that I believe the top-down approach lends itself to the collaborative risk management and assurance approach as there is always a ‘big picture’ to start with, and the goals and objectives of each team (InfoSec, Operational Risk, Audit, Privacy, etc) become clearer. Reporting on this overall process will be easier and more tangible, increasing your chances of board-room understanding and buy-in.