Information classification assigns information to different categories based on its sensitivity. Both nations and many major corporations have sensitive information that gets classified, limiting its availability both to the organization and to the outside world.
A classification scheme is a method of organizing sensitive information into various access levels. Only a person with the approved level of access is allowed to view the information. This access is called clearance. Every organization has its own method of determining clearance levels. The methods usually include a background check, interviews, and a determination of the user’s need for the information. Most nations and many corporations have classification schemes set up to handle the organization and access of sensitive information.
“Need to know” is a major component in accessing sensitive information. The requester should not receive access just because of his or her clearance, position, or rank. The requester must also establish a justifiable need to see the information. Access should be granted only if the information is essential for the requester’s official duties. This further secures the information and reduces the risk of one rogue official with security clearance compromising sensitive information. This concept is also seen in computer access controls with the principle of least privilege.
Following the principle of least privilege, a computer user or program should have only the access needed to carry out its job. For example, a web server service may run as a nonadministrative user with access only to the web directories. If the program is compromised, the attacker has access to only a limited part of the system.
The United States government classifies sensitive information into four main categories based on the degree of damage that would occur to national security if the information were disclosed in an unauthorized manner. Individuals cleared for a particular classification level may access information at that level and below, provided that they have a specific need to know the particular information in question. The four classification levels used by the U.S. government are:
Unclassified information is included here for completeness of discussion. However, it is important to note that “unclassified” is not technically a classification level. It is a term used to describe information that does not meet the criteria to be classified. This may seem like a semantic nuance, but it’s an issue that often pops up on security certification exams.
Information may change classifications at any time, as circumstances warrant. Information that may have been deemed confidential in 1992 may be considered Secret or even Top Secret today. Likewise, information that was of Top Secret importance in 1939 may no longer be sensitive enough to be classified at all.
The classification schemes used by private organizations vary widely but often share some elements with the government scheme. One commonly used approach to corporate classification has the following classification levels:
The Freedom of Information Act (FOIA) requires that the federal government disclose records to any private citizen or organization who requests them. Certain information, such as classified and CUI information, is exempt from these requests. This law applies only to federal documents, but many states have similar laws, sometimes referred to as “sunshine laws.”
Information is generally classified if disclosure could harm the controlling organization. Corporations classify information to try to keep a competitive advantage over other companies. A soup company, for example, may want to keep its recipes as trade secrets. A company that tests the strength of materials may want to keep its testing methodology proprietary. Governments want to classify any information that would damage their security, such as troop locations and movement, facility locations, and so on.
Declassification is the process used to move a classified document into the public domain. Every country and organization that classifies documents has a method of declassification. Let’s look at the U.S. model as a baseline.
There are four ways a U.S. government document can become declassified:
The U.S. Department of Commerce defines personally identifiable information (PII) as:
Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
This is usually sensitive information for a corporation and must be safeguarded. It is also information that is targeted for theft, as it is the key to identity theft. Protection of this information is mandated by numerous federal and state laws, and any security breaches must be disclosed in a timely manner. It is especially tightly controlled in the healthcare and financial industries.
This is any information that is covered by the Privacy Act of 1974. The act covers the collection, maintenance, and dissemination of PII inside the federal government. Information covered in this act includes Social Security numbers (SSN), payroll numbers, information on education, financial transactions, medical history, criminal history, and employment history. This information can be disclosed only with the written consent of the subject or if the use fits into one of the following exceptions:
It is important to remember that this act applies only to organizations inside the federal government. State government and private entities are not governed by the Privacy Act of 1974.
The National Institute for Standards and Technology (NIST) produces standards that are not only binding on U.S. government agencies but also useful to others designing and implementing cybersecurity programs. NIST Special Publication 800-53 (SP 800-53) is a lengthy document providing a set of security and privacy controls for protecting sensitive information.
Appendix J of that publication provides a robust look at privacy controls, organized into four major areas of concern:
For more information on these controls, refer to Appendix J of NIST SP 800-53.