I use a public transport to commute between office and home. Recently, I had one gentleman sitting next to me reading a document. I just peeped into the document and all I could instantly read is the document name and it was labeled as “Confidential”.
Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?
Urgency is one big enemy of security and so is labeling to a certain extent.
In another instance, there was an organization which has many branch offices and they have physical mail that is exchanged between these branch offices. However the recommendation for exchanging documents that was classified as “Top Secret” was to put the document into an envelope and label that as “Top Secret” and then put that envelop into another one and label it as “Personal”. The classification levels in this organization were first “Top Secret” and then “Confidential”. Now how would this serve the purpose?
The mails are exchanged through outsourced mailman (or even it would have been an internal employee) and the mailman would be curious with the label Personal itself. Once he intends to open it, he will be more curious or happy since it to be labeled “Top Secret”.
Do we need to restrict labeling for physical documents that reside within the organization premises only..?
For example: in the first instance, what if the person removed the label and printed the document. I would not even bother to look into the document that he was reading and have a conversation about this with him.
In the second instance, as far as the document is moving from one office to another, remove the label and deliver it personally (I meant only for “Top Secret” document). Once it is in the destination office, can’t it be labeled back..?
I feel that labeling of physical documents should be primarily used just for identifying the way it can be stored and protected and not while in physical transit. Let me know your views.
#1 by Joshua on December 1st, 2011
Quote
Hi Vinod,
Thank you for writing these nice articles . Quite thought provoking . In the first instance, you mentioned the document was of the year 2006, and later said it should have been reclassified . Could you please tell me what did you mean by “Well why the document not re-classified if it was old…?” .
What I thought was , document no matter old or new, confidentiality remains the same ( there are exceptions though, a confidential document a decade ago may not be equally confidential now ) . Kindly excuse me If that was not a sensible question as I’m just a beginner in this domain . Thanks a lot for your time .
#2 by Vinod Puthuseeri on December 7th, 2011
Quote
Hi Joshua,
As you rightly mentioned some of the documents changes its confidentiality classification as time passes. Consider the year end financial information of an organization. What would be the confidentiality before and after publishing their financial results. This would change from confidentiality to public in about a days time.
Similarly over a period of time the information need not be as critical as it is now. Hence by changing the classification level, you can further decide on what kind of security controls that document requires. Eventually, you do not want to put the similar security controls for a confidential document and non-confidential document.