Baseline for AIP policies

Posted by

When I am delivering workshops for AIP to my customers, I regularly get the question that if I have a baseline for Sensitivity labels. I always answer with the same, it depends on your needs and requirements, but with this post, I want to show you, how you can start your content classification.

First of all, you have to think about naming and description, at first glance could be quite obvius, but when your end users start working on those labels, and they have to read names and description, this information will help them a lot, so, choose wisely and think twice.

My recommendation here is to ensure the real purpose of the label and a reflection of the terminology that uses the company. Once you have this, half of your work is done, then what you need to do is to create a description, explaining the contents that reflect the classification.

So.. what levels of AIP I am creating? the 4 following:

  • Public
  • Internal
  • Confidential
  • Secret

Public classification

The public classification label applies to information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without risk of harm. Any information that is produced for public consumption — such as news releases, job announcements, and sales brochures — are good examples.

Internal classification

The internal classification label applies to information that is used in business processes, and the unauthorized disclosure, modification or destruction of which is not expected to seriously affect the organization, customers, employees or business partners. Any information that is used in routine business matters — such as internal policy manuals and company phone lists — are good examples.

Confidential classification

The confidential classification label applies to information that is used in sensitive business processes, the unauthorized disclosure, modification or destruction of which will adversely affect an organization, its customers, employees or business partners. Examples of sensitive information include intellectual property, contract negotiations, most personnel matters, personally identifiable information, protected health data, bank account numbers and payment card information of customers and employees.

Secret classification

The confidential classification label applies to information that is used in extremely sensitive information business processes, which the unauthorized disclosure, modification or destruction of would seriously harm the organization, its customers, employees or business partners. Examples for health organizations include medical records relating to mental health, sexually transmitted diseases… Examples for other organizations include documents used in mergers, strategic plans and litigation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s