Information Classification Labels

So what are information classification labels? Essentially they are a security tool. They are a method of classifying sensitive business documents (electronic versions and even more important, physical hard copies) in a way that governs their use and distribution. The document label should project a clear understanding of the level of sensitivity that document carries. There are no hard and fast guidelines for defining your label attributes so I will touch on four of the most commonly used labels along with a brief description and example of each.

The most efficient use of these labels is in the form of a document footer, watermark, or a simple rubber stamp. The label layout should give the classification level and a brief description of it.

Example:

INTERNAL USE ONLY

This document should only be shared with employees of (Your Business Name).

The Public classification is self-explanatory. This is a document that (hopefully) does not contain any sensitive business information and as such can be shared with the general public. An example of the label might be as follows:

PUBLIC

This document can be shared with non-employees of (Your Business Name).

The Internal Use Only classification might be applied to documents that cover general business practices that you may not want competitors to know. This classification should be a default for all email traffic and internal correspondence. Memos, announcements, meeting requests, emails, and presentation materials (in most cases) are all examples of Internal Use Only documents. That is by no means an exhaustive list but should give you an idea of what type of material fits into this classification level. Again, our original example:

INTERNAL USE ONLY

This document should only be shared with employees of (Your Business Name).

The Restricted classification is harder to define because it really depends on how your leadership views the material in question. In the small business environment this would be a good classification to use for performance reviews or disciplinary action. For example, any type of correspondence or reporting that should only be shared between a manager and employee. Essentially, content that should not be shared with an employee's peers (such as a review) but not as sensitive as confidential information (such as salary or HR issues).

Another example of Restricted material might be business forecasts that, due to their importance in advancing a company's business plan, are not ready to be shared with the general work force. Often times this type of material would eventually be downgraded to an Internal Use Only level once the business plan was executed. Here is an example of the Restricted classification label:

RESTRICTED

This document should not be shared with the general employee community.

For Management ONLY.

Finally, the Confidential classification should be used for extremely sensitive material. This classification usually breaks down into two sub-categories: business-specific and employee-specific. Business-specific confidential material could include financials (if the company is not publicly traded), product rollout dates, or customer information (credit card numbers, address information, and even social security numbers). Employee-specific confidential material could include employee salary, employee personal information (social security number, address, phone numbers, personal information of employee dependents), or HR related issues.

Example:

CONFIDENTIAL

This document should only be viewed by it's intended recipient.

It should not be shared with anyone but senior management or a member of HR.

Information classification labels are a great way to classify the sensitivity level of your business documentation. They also assist employees with determining how to handle the material by setting a baseline and establishing a level of accountability. This is an excellent tool that will help you create a more security-conscious environment for your small business.