LA EVOLUCIÓN DESDE LA PERSPECTIVA DEL MEN

A group of organizations, working on behalf of the United Kingdom’s then Department of Trade and Industry, produced a set of rules on information classification. These are called the unified classification markings, and the principle behind them is similar to that outlined above. The impact, however, is different and would reflect a different organizational culture as compared with that appropriate for the version set out above. The organization must choose a classification system that is suitable for itself, or develop one on the basis of the options set out in this book. Certainly, as these markings are widely known, they can be added to an internal classification when a document is passed outside the organization in order to help the recipient apply appropriate protection.

SEC1 is defined as information whose unauthorized disclosure, particu- larly outside the organization, would be inappropriate and inconvenient. This is routine information that an organization simply wishes to keep private. This classification may not need to be marked on information; it refers to the greater part of the organization’s information. This information is usually commercially valuable, and while SEC1 may be an appropriate classi- fication in a low-risk business environment, there will be other business envi- ronments in which this may be too low a classification.

SEC2 is defined as information whose unauthorized disclosure (even within the organization) would cause significant harm to the interests of the organization. This would normally inflict harm by virtue of financial loss, loss of profitability or opportunity, embarrassment, or loss of reputation. Such information might include:

ᔢ negotiating positions;

ᔢ marketing information;

ᔢ competitor assessments;

ᔢ personnel information;

ᔢ customer information;

SEC3 information is defined as information whose unauthorized disclosure (even within the organization) would cause serious damage to the interests of the organization. It would normally inflict harm by causing serious financial loss, severe loss of profitability or of opportunity, grave embarrassment or loss of reputation. This information might include:

ᔢ details of major acquisitions, mergers or divestments;

ᔢ high-level business or competition strategy;

ᔢ very sensitive partner, competitor or vendor assessments;

ᔢ high-level business plans and scenarios;

ᔢ secret patent information;

ᔢ material with a UK government ‘confidential’ marking.

Information that is required, under the policy adopted by the organization, to be classified must be appropriately marked. This marking must appear wherever the information appears, be it on paper, cassette, disk, flipchart, film, microfiche, etc. Where information carries no classification, it is regarded as having no value.

When organizations are going to exchange information, they should ensure that each understands the other’s classification system. The ISO27001 organization will want to ensure that it has in place a methodology for applying to information received from a third party a classification that is in accordance with both the originator’s and its own system. No organization should under-protect another organization’s information; in circumstances where the receiving organization would classify particular information at a lower equivalent level than that applied by the originator, the recipient should apply a higher classification than it would to an internal document. Those companies that apply an SEC1 level of classification should make it clear to third-party organizations that this type of information is freely available within the organization; those organizations that do not even apply an SEC1 classification should make it clear to third parties that this sort of information is not handled securely.

Information does not always have to remain classified at the same level at all times. Statutory accounts, for instance, are confidential until they have been signed and filed at Companies House. The classification applied to them should be appropriately reviewed and the organization’s procedure should require originators to review the classification of key documents on a regular basis. Some information is sensitive only for a specified period. Where this is the case, the information should show the date beyond which it will no longer be sensitive. This is common practice with, for instance, press releases, which

are usually sent out with a legend along the lines of ‘embargoed until 0000 hours on x day’.

Organizations that handle a considerable amount of information that falls into the SEC2 or SEC3 categories should go to the BERR website and draw down a copy of the guidance entitled ‘Protecting business information – keeping it confidential’. This booklet is free and is in Adobe Acrobat format; it describes the unified classification markings and sets out, in more detail, actions that organi- zations should consider in respect of infrastructure, distribution of confidential information, siting of workstations and other issues. It is likely to be particularly useful to government organizations and to organizations dealing with government. For most other organizations, the summary set out in the section on information labelling and handling, below, will prove to be adequate.