Over the years I’ve noticed that some organizations sometimes confuse “important” documents with “confidential” documents. True, some important documents actually contain sensitive information, like company proprietary information or even client information and those should be labeled as “Confidential.” But not all important documents are confidential.
Case in point: at one company, the employee handbook was updated and one of the updates included a “Confidential” label on every page. When I saw that, I asked why the handbook had “Confidential” labels throughout. I pointed out that confidential documents need to be protected with the highest levels of security including encryption as well as physical security controls like keeping them in locked cabinets when not in use.
Plus, I said, if someone violated the rules for handling the “Confidential” employee handbook by, say, accidentally leaving a copy behind at a Starbucks, that would initiate a security incident exactly the same as if a client’s data was breached. That seemed a bit overboard for an employee handbook.
The answer I got, though, was a little surprising: I was told that the next lowest level of classification “For Internal Use Only” just didn’t sound “strong enough.”
In other words, “For Internal Use Only” didn’t seem to have enough gravitas to convey the importance of the employee handbook, at least from the perspective of the writers.
This isn’t an isolated case. At various organizations I’ve seen examples of other documents mislabeled as “Confidential” including marketing materials (which are meant to be shared as widely as possible) and security policies (do you really want a security incident if someone outside your organization reads your security policies?)
Obviously, this is a user awareness opportunity for the Information Security Officer. Part of the security officer’s role is to make sure users understand the different classifications and rules for labeling that go with them.
One angle of user training might be raising people’s awareness that document labeling for security purposes is not meant to convey the importance of a document. The only purpose of labeling is to let the reader know whether or not the document has sensitive information in it so the reader can handle it appropriately.
Another approach the security officer could use is to encourage users to have the security officer review documents prior to labeling them “Confidential”, especially if these documents will be widely distributed to many users. It’s in the best interest of the security officer to not have documents mislabeled with classifications that are too high. That’s one of the reasons why the government regularly reviews and declassifies documents.
What do you think? Do you ever see documents in your organization that are mislabeled? If so, what approach do you take to address that?
Photo credit: pdenker