Do not risk being sued, know your information classification!
Stefan is visiting a course at his college about information security. A friend of his, Erik, is working in IT and shows interest in the topic. He asks Stefan some questions about it. Stefan is enthusiastic and thinks he can do even better. He uploads the course script for his friend on a document sharing platform. Weeks later Stefan is notified that he is accused of copyright violations.
To prevent bad surprises like this, students should know the basics of information classification. But what is the classification of information? Information classification means the conscious grouping of information into categories of confidentiality defining who is allowed to have access to them.
Since every institution needs to classify data, the process has been standardized by such norms as the ISO 27001. One common strategy for classifying information into categories is the following:
- Public information is not confidential and may be released publicly.
- Internal information is only meant for employees (or students as in the example above) and care should be taken to whom such information is mentioned to.
- Restricted information should only be available to some employees on a need-to-know basis. All employees should have an easy way to find out who is supposed to have access.
- Confidential information is generally restricted to only a small circle of persons, for example senior management.
But even the private life can profit off a more conscious approach to handling information, as carelessly revealing personal information can have far reaching consequences.
For example, potential employers usually research their applicants. Unflattering pictures, like drunk party pictures or posts with controversial opinions, can make the difference between being invited to a job interview or your application being rejected. And due to the persistent nature of such records, even if your opinion changed this can hurt your chances years later. As such it is advised to take a moment and decide if fun party pictures should be published or if some topics are better not discussed in a public forum.
Another more specific problem of revealing seemingly innocuous information without a second thought is social engineering. Hacking often starts with social engineering and the more information an attacker can get in advance, the higher their chance of success. The names of coworkers are generally not considered to be a secret. Nonetheless the names together with information like their ranks and job descriptions can be used to trick people into believing a phone caller to be part of the company and to reveal internal information to them.
As shown even, at first glance, innocuous information can become a problem. People take advantage of different services nowadays and might not be fully aware of the sensitive traces they leave behind. To handle data with caution is each one's own responsibility.
If you are interested in the process of classifying information especially in the context of institutions, you can look at some of our suggestions.
About the authors
Jonas Bachmann knows the importance of treating information carefully.
Kevin Pizarro studied computer science and likes to classify information.
 BSI-Standard 200-2, 5.1 Klassifikation von Informationen www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/standard_200_2.pdf