Better Marking of Information

Before I dive into a better way of marking information, we need to first understand what information marking is and why we do it. The end goal is simple: to clearly mark sensitive information in an effort to provide "reasonable confidentiality measures." I will be using the word "sensitive" to refer to any manner of non-public information such as classified, proprietary, confidential, etc; the exact type isn't important - only that it shouldn't be known by everyone.

Why would we implement such a seemingly simple, non-technical control? There are a few reasons.

1. Best Practice - it's just good data management housekeeping for reasons described below.
2. To protect trade secrets and other proprietary information - Most laws state that "reasonable measures" must be taken to protect the confidentiality of sensitive information. Marking said information is the basis of any security programs. The US DOD Manual 5200.01 Volume 2 - "DoD Information Security Program: Marking of Information" (https://www.esd.whs.mil/Directives/issuances/dodm/) talks about their program ad nauseam and is probably excessive for most companies. NOTE that marking information alone is likely NOT enough to demonstrate due care in protecting information; it is only a starting point!
3. Data Loss Prevention (DLP) - Because advanced DLP programs can be costly, tedious to setup, and difficult to maintain, they are not often deployed at smaller organizations and are instead left for larger companies. That said, since the wide adoption of Microsoft Office 365, even smaller organizations have access to simple but effective DLP tools. These tools can be easily set to alert or block traffic containing particular phrases. Labeling information with a simple word such as "confidential" or "proprietary" may not be an effective approach to labeling documentation because these words can easily be used in the normal text of a document, thus triggering many false positives. The simplest way to reduce DLP triggers is to have a more elaborate information labeling scheme. The DoD Manual does this well, for example "UNCLASSIFIED//FOR OFFICIAL USE ONLY" is incredibly unlikely to appear as normal text in a document. Thus, if this phrase is detected by DLP, it is likely a real incident. A better phrase for a smaller company may be "SENSITIVE//<CLASSIFICATION>." I won't go into depth on this, but it's worth noting that DOD contractors probably should NOT use phrases such as "CLASSIFIED," as these documents may not make it through their systems.

• It may be prudent to load a list of internal project names into the DLP software along with a pre-fix phrase, for example "SENSITIVE//PROJECT//DELOREAN". Refer to my previous article on "Security Through Obscurity" for more on project code names.

In reality, achieving these goals this is anything but simple. Some of the issues you are likely to run into are lack of definition of sensitive information, no clear policies, and no clear definition of who should be identifying and labeling the information. Too frequently, I see smaller companies expecting the IT department to identify and mark information.

How do we make things better?

IT and legal should work together to define a clear policy and procedures dictating naming standards, identifying data owners, and markings standards. Then the users must be trained sufficiently. Training and reinforcement are vital to the success of an information marking program.

You don't have to tackle this from scratch; there are some good starting points. ISO provides plenty of useful information on this (https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/). The DoD Manual 5200.01 referenced above is also very thorough on the subject (though probably excessive for most companies). I advise looking through various information marking programs, take a bit from each, and make the program your own.