Performing a risk assessment is one of the fundamental tasks you’ll perform when considering which protection mechanisms should be used to defend your information. We looked at risk assessments in Chapter 4, so you should be fairly familiar with how to undertake one of these by now; however, one thing that wasn’t covered back then was how you go about attributing a value to the information you are protecting.
This value you place on information is extremely useful when deciding how much you are willing to invest in protecting it. This value can be used to skew the results of your risk assessment so that more sensitive information is given more appropriate and stringent security controls, which costs more but is limited only to those highly valuable assets (the information you are protection) as well as highly desirable targets (the information attackers will place value in). This ensures that your hard fought budget is spent on only protecting what’s most important to the business rather than protecting everything with the same level of rigor.
In fact, all information has a value, whether it’s in the public domain (such as product descriptions on your website), or the secret recipe for your world-famous black fizzy beverage. Therefore, you’ll need a way to attribute an appropriate value to each category of data. One of the most popular ways to value data is based on its sensitivity; that is, the amount of secrecy required when handling or accessing it. An information classification scheme is often used by organizations to identify the sensitivity of individual information assets, where information can be labeled as CONFIDENTIAL, UNCLASSIFIED, or TOP SECRET (to use just three examples.) The reality is that any number of categories can be used as long as the definition of each category is clear and unambiguous. You users need to be able to implement it and make classification decisions themselves without having to refer to the security team each and every time they create a new document.