I am working on an information classification pilot project at a
client. The client wishes to develop a methodology for information
classification, and pilot this within a specific business unit.
Previous phases of the project have addressed:
- Business activity analysis and information asset identification
- Legal and regulatory analysis (imposes a set of requirements on
information classification)
- Business impact analysis (to identify and prioritise the key
information assets for protection)
- Information classification (applying a consistent information
classifcation scheme to information assets)
In a month or so we'll be kicking off the information labelling and
handling phase of the project.
This will deliver a set of standards and procedures for implementation
in the pilot business unit, covering:
- Physical and electronic information
- Information storage
- Information tranmission
- Access rights management, restriction and disclosure
- Retention and disposal
I am looking for:
- Good, practical reference material and sample documentation covering
the above aspects.
- Discussions of tradeoffs around information classification
- Products which can enforce / assist with information classification
(not determining the particular classification levels, but rather
enforcement of these levels, e.g. Microsoft's Rights Management
Service)
I know that even the military have not got information classification
and protection 100% correct, but as I mentioned this is a pilot, and a
decision will be taken at the end of the project on whether to proceed
with a rollout to other business units, or can the project. So I am
looking for practice advice, experience and input, and not comments
regarding the success or failure of the project (I have had my
reservations from day 1).
Thanks in advance.
plokta
