What has classification to do with it?

Why do you need to classify your data? Isn't classification for secret government organizations and military organizations? I believe information classification is now needed for business as well. Today, organizations are under pressure to prevent loss of sensitive personal information both from a regulatory compliance requirement as well as from the public who is now getting tired of companies loosing their information.

So if you are to decide on a classification scheme what should you do? You can go from simple to complex, but the best bet is to choose somewhere in between. A three level classification could be: Secret, Sensitive, and Public.

The value of a classification system is of course that when your information is classified, and you know where it is, you can apply the right set of controls to it. Think about being able to target your encryption efforts. This can mean the difference between being able to deploy encryption versus not, as the cost of protecting everything is usually cost prohibitive.

The beauty of combining your information loss prevention program with a classification system is that as you discover sensitive information in your organization, you can apply the right set of controls when you also apply the classification scheme to your information, thereby protecting what needs to be protected, and not worry so much about information which would not cause a material loss to your organization if it was to be lost.