Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Information Classification Policies: An Exploratory Investigation
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem (IS), Information Systems)ORCID iD: 0000-0002-1436-2980
University of Skövde, School of Informatics.
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem (IS), Information Systems)ORCID iD: 0000-0002-8607-948X
2018 (English)In: Proceedings of the Annual Information Institute Conference / [ed] G. Dhillon, S. Samonas, Washington, DC: Information Institute , 2018Conference paper, Published paper (Refereed)
Abstract [en]

InfoSec policies are considered a key mechanism in information security, and most organizations have one. However, the large majority of security policy research has focused on what policies should include rather than how they are accomplished in practice. To contribute to overcoming the lack of knowledge regarding this crucial aspect, this paper investigates information security policies based on what underlying approaches information classification practices are built on and the perceived ease of turning the policy into practice. To do so, a survey was sent to 284 Swedish government agencies, and 80 of their internal policies were collected as data. The data were analyzed both qualitatively, and qualitatively. The results show that information classification adoption rates are low despite being mandatory and that agencies are struggling in closing the gap between standards and practice. Furthermore, the results also show that information classification policies need to be more specific and give more actionable advice regarding, e.g., how information life-cycle management is included in practice, and where the responsibility for classification is put in the organization.

Place, publisher, year, edition, pages
Washington, DC: Information Institute , 2018.
Keywords [en]
Information security management, information classification, InfoSec policies., Public Administration Studies, Studier av offentlig förvaltning
National Category
Information Systems
Research subject
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-18924ISBN: 978-1-935160-19-9 OAI: oai:DiVA.org:his-18924DiVA, id: diva2:1458392
Conference
17th Annual Security Conference, March 26-28, 2018 Las Vegas, NV, USA
Available from: 2020-08-17 Created: 2020-08-17 Last updated: 2020-08-24Bibliographically approved
In thesis
1. Supporting Information Security Management: Developing a Method for Information Classification
Open this publication in new window or tab >>Supporting Information Security Management: Developing a Method for Information Classification
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

Place, publisher, year, edition, pages
Skövde: University of Skövde, 2020. p. 310
Series
Dissertation Series ; 33
Keywords
information classification, Information security management, Information security management systems, Information classification method
National Category
Information Systems
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:his:diva-18920 (URN)978-91-984918-5-2 (ISBN)
Public defence
2020-09-04, G109, Högskolevägen 1, 09:00 (English)
Opponent
Supervisors
Available from: 2020-08-14 Created: 2020-08-14 Last updated: 2023-07-06Bibliographically approved

Open Access in DiVA

fulltext(229 kB)160 downloads
File information
File name FULLTEXT01.pdfFile size 229 kBChecksum SHA-512
5bf8b3c7fe17d102bd184c6df74d3ad5ab7dd3b39467f7bb558047e7446cc9188e6e56138dc1e19f779a3e808e7655d318a035af9f113e1a77f968688cf15750
Type fulltextMimetype application/pdf

Other links

Fulltext

Authority records

Bergström, ErikAnteryd, FredrikÅhlfeldt, Rose-Mharie

Search in DiVA

By author/editor
Bergström, ErikAnteryd, FredrikÅhlfeldt, Rose-Mharie
By organisation
School of InformaticsInformatics Research Environment
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 160 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 783 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf