Simplified classification schemes at Swedish state agencies

Information is a vital part for most organizations, not least for state agencies as they handle personal data for every citizen, such as medical records, social security numbers and other sensitive information. It is therefore critical to protect the information assets at a sufficient level according to its value. Information security aims to do this by preserving the properties of confidentiality, integrity and availability of the information. This means that accurate and complete information shall be accessible and usable by an authorized entity upon demand. Swedish state agencies are obliged to manage their information security by the implementation of an information security management system (ISMS). The ISMS has to be set up and operated in compliance with the international standards ISO/IEC 27001 and ISO/IEC 27002, but these standards are somewhat vague in describing how to perform certain procedures. One part of the ISMS consists of the process of classifying the information, a process that according to the result from a survey by the Swedish Civil Contingencies Agency (MSB) is troublesome (MSB, 2014), especially for smaller-sized agencies. In this classification process, a classification scheme is used to determine the consequences to the organisation if the confidentiality, integrity or availability of the information is jeopardized. The result of this process determines the level of protection that each piece of information asset will receive at a later stage. It is vital to classify the assets at a suitable level to avoid over or under classification, as the former can lead to unnecessary costs and difficulties in using the assets, and the latter can put the asset at risk of unauthorized access. The interest from the academic world have however been low regarding research focused on the 27000 series of standards, compared to the more mature ISO/IEC 9000 and ISO/IEC 14000 series. This thesis project aims to investigate how the classification scheme has been simplified and to identify enabling factors from the development and use of simplified classification schemes. The research questions for this thesis project are: In which ways have a number of Swedish state agencies simplified their information classification schemes? Which factors have influenced the development and use of a simplified classification scheme? A mixed method, an embedded case study, was used, including both a review of existing information security policies for the state agencies to gather information about current information classification models and schemes, as well as interviews with the chiefs of information security for the state agencies regarding the development and usage of a simplified information classification scheme. In total, 120 documents from 81 agencies were reviewed and 7 interviews were completed. The results from the study shows that the state agencies that have simplified their classification scheme do so by focusing on one aspect: confidentiality. The agencies motivate this by a number of reasons: The aspects integrity and availability are regarded complex and difficult for the end user to relate to and classify. In order to simplify for the end user these aspects are handled by the IT department and the IT environment The integrity and availability aspects are more or less built into the IT environment and thus handled automatically as long as the end user correctly classifies the information asset according to the confidentiality aspect and handles the information according to the handling guidelines The study also shows the need for a national, common set of handling guidelines and consequence levels for the classification scheme as this would simplify and improve the security in communication between the state agencie