Simon Andersson, a co-worker in the ISSUES project, has published a study on information classification. Interviews with representatives from private and public businesses form the basis of the study. Those interviewed had their own experience with information classification, either as a person in charge or as a specialist. The experiences gathered from the organisations were compared with established theories.
The analysis made it clear that there were five key challenges:
- It is difficult to find a suitable level of detail, for example, whether the classification should be at system or file level.
- The documentation of identified assets is not complete, for example, it is challenging to keep a registry of assets up to date, as information is created, changed, or moved.
- Different conclusions are drawn from the same experiences, which can lead to lengthy discussions that take resources from the classification itself.
- Different interpretations of meanings and what texts convey, e.g., differences between departments’ jargon and how guidance and standards are interpreted.
- Difficulties adapting standards and guidelines to the organisation’s conditions. An example would be how different definitions of impact are formulated. It is, for example, difficult to express the differences between a medium and high impact level in a clear-cut way.
Information classification is a key prerequisite for managing risk in organisations, and as such, it is important to understand the challenges one might encounter.
To learn more, read Simon’s article here: Problems in Information Classification: Insights from practice.