Before we delve into the subject of this article, it's crucial to reflect on something highly important, as illustrated in the image below:
I love this illustration because, despite its simplicity, it conveys a lot of information. Shall we expand on it?
Every business, in its value chain, generates and processes information all the time, which can be found in reports, indicators, projects, financial statements, budgets, contracts, source code – the examples are countless.
To ensure the security of this information, we need to strike a balance between the three pillars: People, Processes, and Technology. To illustrate this balance, consider a Project Manager consolidating the status report of vulnerabilities identified in a penetration test conducted by a third-party company that was hired. Due to the sensitivity of the information in this report, it should only be accessible to those responsible for the systems involved in the tests, stored in authorized corporate locations, and sent to stakeholders only through encrypted means. But how do we know this? What can guide us in our daily routines on how this information should be handled and protected?
The answer lies in Information Classification. As the ABNT/NBR 27002:2022 itself indicates on page 27, section 5.12 Information Classification, its purpose is:
[...] Ensure the identification and understanding of information protection needs according to their importance to the organization [...]
Knowing this, if we revisit the fictional scenario we outlined, assuming that the company where the Project Manager works has a section in its Information Classification Policy with the descriptors below, how would you classify the vulnerability status report?:
Formato Digital
Usage | Confidential | Internal | Restricted |
Access | Information can be accessed by a specific group of people | Information can be accessed by all employees of the organization. | Information can be accessed by all team members |
Transmission | It must be transmitted to the specific group of people only through encrypted means | It must be transmitted to all employees only through encrypted means. | It should be transmitted to team members only through encrypted means |
Storage | It can be stored only in the restricted corporate Sharepoint accessible to the specific group of peoples | It can be stored, for example, in th e company's document and intranet systems | It can be stored exclusively in the corporate Sharepoint restricted to members of your team |
Disposal | it must be securely removed using the 'XYZ' software | It can be removed using the standard operating system procedure | It should be securely removed using the "XYZ" software |
Impact | If information is accessed by unauthorized individuals, whether accidentally or intentionally, it can result in financial, operational, reputational, legal, and security impacts for the company | If the information is accessed by unauthorized individuals, whether accidentally or intentionally, it can have legal and reputational impacts on the company | If the information is accessed by unauthorized individuals, whether accidentally or intentionally, it can cause operational, reputational, legal, and security impacts on the company |
Examples | Health Data, Regulated Data, Financial Statements, Strategic Planning, Testing and Analysis Reports | Announcements, informative materials, and policy, process, norm, and procedure documentss | Projects, indicators, meeting minutes |
.......
.......
.......
.......
.......
If you answered 'Confidential,' you got it right.
As the report is intended for a specific group of people, the Project Manager, after presenting it to the system owners, should classify it as Confidential when sending it via email, as well as the report itself. Assuming that the fictional company in question uses Microsoft solutions, in the email and for the file, it would look something like this:
This way, no one other than the system owners will be able to access the file on the sent SharePoint. Furthermore, by selecting the email as 'Confidential,' behind the scenes, the behavior is that the email will be encrypted.
How beautiful is that?
Obviously, with the technology behind it, in the example I provided, Microsoft Purview, for didactic purposes, would make things much easier. Still, it's clear that it can be done without robust technologies. It might be more laborious, but the message I want to convey is that regardless of how it will be implemented, your company needs to have a policy and information classification process to ensure that information is handled securely throughout its life cycle.
For more details on the topic, I recommend consulting the references below:
ABNT/NBR 27002:2022
5.12 - Information classification
5.13 - Information labeling 5.14 - Information transfer
CIS Control 3 - Data Protection
NIST - CSF
ID.AM-5
PR.PT-2
= )
Comments