The Danger of Over-Classifying

Information security professionals can learn a lot from WikiLeaks.  It seems that there are always new lessons available to us every day.  One topic that came to light early in the release of the cables was that most of the information seemed rather trivial, which made it difficult to see why politicians were so upset over the incident. 

The Center for Public Integrity has an excellent piece on examples of over classifying data that is in fact trivial.  According to the Information Security Oversight Office report , the government spent $8.8 billion on safeguarding classified information.

“Over-classification is not in the interest of the government,” said Bosanko. “Finite resources are best deployed when they are focused on the information that truly requires protection.”

Over-classification a problem that creates inefficiencies, weakens accountability, and financially weakens an organization.  Some security professionals believe that security for the sake of security defines what security is.  This may be done to create perceived job security or because the individual believes it is the right thing to do.  If sometimes there is a temptation to label all data as the most important and critical for simplicity.  In the end this creates unnecessary expense in both equipment and personnel resources.  The proper thing for all security professionals to do is to deliver a customized solution that suits the customer or employer needs.

Security professionals should be aware of the organization’s operating objectives.  In an economic downturn this may mean under protecting some assets in favor of deploying finite resources to protect the organization’s critical areas.  Even in good times the security professional should accept that all businesses exist to provide benefits to the shareholders.  This includes government because the taxpayers are the equivalent of shareholders.

The security professional should be prepared to interact with various business unit heads to get their view of what is important.  Each department head or staff member will have their own opinions and these should be collected for senior management review.  Senior management with the assistance of the security professional will determine the appropriate level of protection needed for the organization’s data.  This may be driven by the sensitivity of the data or it may be a financially driven decision where a total budget number is given in the organization must find a way to secure the most critical information only.

Under the ISO 27,001 standard, "top management" should be involved in the security and risk decisions made by the organization.  The security professional should work with top management to find the best solution that suits the organization in terms of both costs and efficiency. Security professionals can increase their visibility and bring value to their organizations through partnering with upper management.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.