It is useful to classify your information assets - so that you can decide how to treat them, and tell your people.
Her Majesty's Government has a well developed Protective Marking Scheme, but is about to move on to a new scheme.
More simply, you might like to consider marking items CONFIDENTIAL if there are legal reasons (such as a contract or the Data Protection Act), or operational reasons (such as trade secrets or lists of clients) why access to them should be controlled. You may want to mark assets which are even more sensitive SECRET.
Markings would probably be at the top and the bottom of each page (paper or electronic).
You will think at first of your information as your asset. But don't forget the computer system that it needs to work for you. And maybe the accommodation that it lives in; and maybe the people that it needs to work for you.
Then you will probably want to put at least one barrier between the items and the untrusted world. A barrier might be a building, or the door of a room; a safe or a locked desk; encryption; a password.
This forces you to think through who should and who should not have access to it.
The usual rule is that the person who creates the item is responsible for its classification; and anyone who subsequently handles it is bound by that decision.
You will want to apply some rules for handling it:
- Shred it in a cross-cut shredder at the end of its life (a good shredder shreds so small that you can see no more than two printed characters on the shreds). Physically destroy computer media (meaning disks, tapes and USB sticks).
- Don't discuss the detail on the 'phone - especially a mobile 'phone. 'Phones are not very secure any more.
- Don't fax it. (Isn't the fax obsolete now ?)
- If it's on paper put it in a sealed envelope to move it. Don't show the marking on the outside of the envelope.
- Lock it away when it is unattended.
- When kept on a computer it must be protected by a password system, and encrypted. More on this aspect later.
- If sending it by computer, including by e-mail, then you should encrypt it.
- Don't keep two classifications if material (eg CONFIDENTIAL and SECRET) together.
Some organisations under-mark their assets - possibly to save money and trouble. They are taking unnecessary risks which might be difficult to defend in court.
Other organisations over-mark - maybe to emphasis their importance. This costs time and money and trouble.
Most, I suppose, just don't bother....