I'm just struggling with #InformationClassification
In my opinion there is a central and unsolvable contradiction at the core.
On one side information shouldn't get in the wrong hands. Information should only be shared following the "need-to-known".
On the other side many/most problems are cause by not having the right information. And what's the "right" information can often only be determined by the recipient.
So how can information only be shared with the right parties if only the receiving party can decide if they are the right recipient AFTER they received the information?
[#]InformationSecurity/ #CyberSecurity
=> More informations about this toot | More toots from realn2s@infosec.exchange
The #InformationClassification only gets harder because of the dynamic and context specific nature of the classification.
A profit warning maybe top secret before publication but afterwards is public.
=> More informations about this toot | More toots from realn2s@infosec.exchange
Quite often an information handling policy distinguishes between internal and external, employees and everybody else.
But this isn't realistic or practicable
Specification, requirements and concepts might be highly sensible but an external developer working in the development team needs access to them,
A circuit diagram might be confidential but must be available to an external contract manufacturer.
A proposal or contract might be highly sensitive but must be shared with the external other side.
External accountant, consultants, government agencies or lawyers might need access to a lot of highly critical information.
I encountered policies where certain categories require information to not be shared, only be shown.
But realistically a lot of the "show" will happen online today. So how can not-sharing be guaranteed.
=> More informations about this toot | More toots from realn2s@infosec.exchange
This brings us to the technology part.
If encryption is required. What "kind" of encryption. Realistically a lot of information is sent through email and hopefully most email is (transport) encrypted. But as an enduser I have no way of checking or ensuring this. And even an admin can only check this on case-to-case basis if unencrypted email isn't completely turned off.
Transport encryptions means, the email provider and admins can theoretically access the data on both sides.
But if you go for end-to-end encrypted email you get into the whole mess of key management. And you will need to take care of data retention.
And yes, there are secure file sharing solutions available. But these quite often are a convenience or usability issue and open the new challenge of managing external accounts.
=> More informations about this toot | More toots from realn2s@infosec.exchange
In the end I often see this leading to #InformationClassification according to the use not according to the criticality of the information.
E.g. "we need to share this document with external via email, therefore it only can be 'internal'"
Or, "who cares of this is 'confidential' we share it nevertheless (because we need to)"
It's just so annoying
=> More informations about this toot | More toots from realn2s@infosec.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini