1. Guides
  2. Cyber security
  3. Information classification and security: a practical guide

Information classification and security: a practical guide

No matter your organisation size, knowing how to manage digital information will help you reduce risks and meet legal obligations.
Files with confidential papers stacked in piles

In the digital world, managing and classifying information effectively is key to keeping your organisation’s information safe and accessible. Whether you work in a small not-for-profit (NFP) or a larger organisation, knowing how to manage digital information will help you reduce risks and meet legal obligations. 

This guide will explain the basics of information classification and security.  We will explain the CIA Triad (Confidentiality, Integrity, and Availability) as a model for guiding cybersecurity practices for securing sensitive information and protecting critical systems.  You will learn that a comprehensive information security strategy includes policies and controls that minimise threats to these three crucial components. We also review why backups and retention are important for business continuity.

The CIA triad: the three pillars of information security

You can follow the CIA Triad model to keep your digital information safe. This stands for Confidentiality, Integrity, and Availability. 

  1. Confidentiality: This means ensuring that only the right people can access sensitive information. You can use tools like passwords, encryption, and multi-factor authentication (MFA). For example, you might need MFA to access your organisation’s financial system to prevent unauthorised people from seeing or changing financial records.
  2. Integrity: Integrity ensures that your information is accurate and hasn’t been changed by mistake or by someone who doesn’t have the right to change it. Tools like encryption or digital signatures help protect information from tampering. For instance, if you run a website, you want to ensure that its information is reliable and hasn’t been altered by a hacker.
  3. Availability: Availability means that your information is accessible when people need it. You should ensure that your organisation has backup systems in place to recover information if there’s a hardware failure, cyber-attack, or natural disaster. Without availability, even the most protected information is useless if people can’t access it.

Nonrepudiation is a method for verifying integrity, which refers to when something cannot be repudiated or denied. It is a security concept that ensures that a user cannot deny performing a transaction. 

What is information security and why is it important?

Information security is all about storing, organising, and protecting information so that you can easily find and use it. If your organisation doesn’t manage information well, it could lose important information or fail to keep it safe, which could cause reputational risk, exposure of sensitive information that puts marginalised people at risk and lead to fines or legal problems  . 

Good information security doesn’t just rely on technology; it also involves building capabilities in your team so that everyone understands how to handle information safely and efficiently. For example, your team might need training on accessing the information they need without accidentally viewing or sharing anything confidential.

Information classification: what is it, and why does it matter?

Information classification is a way of organising information based on its sensitivity or importance. This helps you decide who should be allowed to access certain information and how it should be stored. 

Your organisation might use four three common categories to classify information:
Confidential: information that needs the highest level of protection, like personal details, financial records, or health information.
Sensitive: information that could cause risks if mishandled, like employee details, internal project plans, or business strategies.
Internal use: information that your team needs to do their work but doesn’t require the same level of protection as confidential information.
Public: information that can be shared with anyone, like information on your website or social media posts.

Classifying your information makes it easier to apply the right level of protection. This way, you can ensure that important information is kept safe, while still allowing people to access the information they need to do their work.

Building your organisation’s capabilities

When thinking about how to manage information securely, it’s not just about the technology. Your organisation also needs to build the right skills and knowledge in your team. This means training your staff to handle information appropriately and making sure they know what to do if something goes wrong, like an information breach. 

By building your team’s capability, you’ll be able to protect your information while making sure it’s still easy to access when needed.

Getting started  with information classification in your organisation

Implementing an information classification system may seem daunting at first, but following these simple steps can help your organisation classify information effectively and strengthen your overall information security.

1.    Identify all data sources

Begin by identifying all the different places where your organisation collects and stores information. These sources could include databases, cloud storage, email systems, customer relationship management (CRM) tools, and even physical documents that may later be digitised. Understanding where your information comes from and how it is stored is the first step to making sure it is properly classified and secured.

2. Identify and categorise your information

Identify the types of information your organisation handles. This might include personal information, financial records, internal communications, or client information. Once you’ve mapped out your information, sort it into categories such as:

  • Confidential Information: that could cause harm if accessed by the wrong people (e.g., financial records, personal information, health information).
  • Sensitive Information: This is information that is not classified as confidential but could still cause harm if mishandled. Sensitive information might include employee information (like performance reviews), internal project plans, or business strategies. While not as tightly controlled as confidential information, sensitive information should still be protected with strong security measures
  • Internal use: Information that your team needs to do their work but doesn’t require the strictest level of protection. For example, internal emails, team calendars, or non-sensitive documents that are for staff use only.
  • Public: Information that can be shared openly, like marketing materials or press releases.

3. Define access levels

For each category, decide who needs access to the information. For example:

  • Confidential information should only be accessed by authorised personnel, such as senior management or HR.
  • Internal use information might be shared across your team, but you may want to restrict access to specific folders or systems based on each employee’s role.
  • Public information can be accessed by anyone inside or outside your organisation.

4. Implement security measures

Once you’ve classified your information, you may want to consider putting some security measures in place for each category, such as:

  • Using encryption and strong passwords to protect confidential information.
  • Setting up MFA to add an extra layer of security for accessing sensitive information.
  • Limiting the number of people who can access confidential and internal use information.

5. Develop an information classification policy

Write a clear and simple information classification policy that explains the categories you’ve created, who can access the information, and the security measures you’ve implemented. This policy should be easy for your team to understand and follow.

6. Train your team

Train your staff on the new information classification system so they know how to handle and protect information appropriately. Ensure everyone understands the importance of classifying information and what actions they need to take to keep information secure.

7. Monitor and review

Regularly review your information classification system to ensure it’s still working effectively. Over time, you may need to adjust your categories or policies as your organisation’s needs change or new information types are created.

Following these steps, you can start building an information classification system that helps your organisation protect its information and improve security. 

Final thoughts

Digital information management and information classification might seem complicated, but with the right processes, you can keep your organisation’s information safe, accessible, and organised. By using the CIA Triad and understanding the difference between backup and retention, you’ll be able to build a solid foundation for your organisation’s information security. Don’t forget to consider any sector-specific requirements that apply to your work, and make sure you equip your team with the skills they need to manage information correctly.
 

Rate this guide

No votes yet

Status message

Thanks for rating this guide.

CAPTCHA

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Related posts

woman in front of laptop with code on the screen
Guide
Intermediate
Understanding backup and retention
backup and retention, serve two different purposes in information management
Questions to ask your IT managed services provider
Guide
Intermediate
Questions to ask your IT managed services provider
Key questions you should ask your managed services provider about their cyber security and how they help protect your systems.
Questions to ask your SaaS application provider
Guide
Intermediate
Questions to ask your SaaS application provider
Key questions you should ask your Software-as-a-Service (SaaS) business system providers about how to protect your sensitive information.
info-sec
Guide
Intermediate
Information security policy for not-for-profits
To define and formally document your cyber security practices and processes, you can download and customise this template for your not-for-profit.