Information Classification - Who, Why and How

Many companies consider initiatives like risk analysis and information classification, which tie protection measures to business need, to be too expensive and unwarranted. They instead look to information technology support organizations to identify the information that should be protected, the level of protection that should be provided, as well as the technology solution. Because it is the business community that knows best the importance of the information, this practice often results in inefficient and ineffective technology focused information protection plans that do not specifically address a company's business need. This paper will clarify who should be determining appropriate company protection needs. It will also demonstrate why information classification is a necessary, efficient and effective means to convey business driven information protection requirements. Last, it will offer a method for classifying information to persuade readers from accepting that their company should implement a data classification system to recognizing that it can.