What is information classification and how critical it has become with LGPD
Do you know what information classification is? No? Curiously, this concept is one of the oldest and most structural in the field of information security, and has been applied even before computers became popular and documents began migrating to electronic media. And because it is an ignored or undervalued practice, cyber incidents are still a frequent occurrence in our country.
There are not many secrets here: information classification is, as its name suggests, the act of classifying the level of confidentiality of any information that is created, stored, and/or manipulated by company employees. While this classification can be done any way you like, we provide excellent classification guidelines, in accordance with the ISO 27001 standard.
Basically, the first thing to do is to map your assets; in other words, discover and make an inventory of all the information that exists in your environment. Then, perform a classification process following a structure level that suits you best. The most famous system divides classified information into four sections, which are, in decreasing order, Confidential, Restricted, Internal Use, and Public.
Following ISO 27001, once classification is done, the information must be labeled, i.e. given a "marker", be it a sticker at the bottom of a physical report, or a tag in the title of a Word document. Finally, rules must be defined regarding how each type of information is to be processed. This is the most complicated step since it involves creating processing rules and establishing access privileges.
Problem Solved
Have you realized how crucial information classification is? It is at the center of any Information Security Policy, as it addresses the main problems regarding the storing and processing of sensitive data in the corporate environment. Some of the advantages of having an information classification system are:
-
Proper mapping of all the information assets, preventing, for example, that personal data collected from your customers is accidentally "forgotten”;
-
Creating a standardized identification system to label the level of confidentiality of a piece of information, supporting protection processes and post-incident actions;
-
Establishing access rules and handling privileges, ensuring that only the appropriate individuals can handle highly sensitive information.
The lack of data mapping often causes information losses or non-compliance with data protection legislation, such as the General Data Protection Law (LGPD). It is impossible to properly protect what you do not see or you do not even know exists.
Similarly, the lack of a strict access privilege policy is the reason why there are so many data leaks, especially from malicious insiders ("corrupt" collaborators who manage to access classified information without the proper need and level of trust). In other words, we are talking about two problems that need to be addressed to ensure compliance with the Brazilian privacy standard.
The role of awareness
Obviously, user awareness plays an important role in information classification. It is crucial that everyone in a company — from top to bottom — be aware of this classification system; its levels, its processing rules, and its importance for ensuring a corporate privacy culture. Only then will what you have defined on paper be effectively followed in practice.