Many times, information is classified even though an adversary could acquire that same information through straightforward, independent efforts. This is done to make the adversary expend more resources in seeking that information and thus lessen the damage from disclosure.
Classification of information is done on a document-by-document basis by agency heads and officials with original classification authority. Information is not classified to conceal inefficiency or error; restrain competition; or for other improper purposes. In this article, we will discuss about which of the following is true of security classification guides ?
What is Classification?
Information is classified when it is determined that the national security would be adversely affected by unauthorized disclosure. This information can be in the form of text, audio, video, images or any other physical media. Classification markings are used to identify classified information. This identification can occur either originally or derivatively.
Original classification is when the decision is made that the information intrinsically meets the criteria for classification under Executive Order 12958. Derivative classification is when a document, apparatus, model or other physical object already classified is used to classify other material in the same format. It is important for information stewards to understand these differences to ensure that the appropriate classification markings are applied.
Information should be classified to the highest level that will adequately protect national security interests. This is determined by comparing the potential damage of the information’s disclosure with the benefits of having it unclassified. The three national security classification levels are Confidential, Secret and Top Secret.
The University has established a security classification process for the protection of sensitive data that must be followed by anyone who handles it. The process is based on the risk that could result from improper access, use or handling of the data and the potential impact to the University’s operations and reputation.
High Risk information must be kept secure at all times and only transmitted to individuals who have a valid business need and who are following proper procedures for the handling of sensitive information. This may require special training, data use agreements and/or documented documentation.
It is a best practice to clearly label all High Risk information to warn others that it should be treated carefully and with discretion. This is a critical step in reducing the risk of unauthorized disclosure.
It is also a good practice to review the sensitivity of all information on an ongoing basis to determine if it requires continued protection or if it can be downgraded. This will help to avoid accumulating unnecessary classified information and minimize the cost of maintaining it. This will also reduce the risk of mishandling of information, resulting in an accidental declassification that would jeopardize our nation’s security.
If information is classified as Official-Sensitive, Secret or Top Secret it must be marked clearly and a special symbol is used on documents and computer devices. If you are not sure whether information should be classified, or what level, consult with your IAO lead or security adviser for advice. The level of classification is displayed in a special field on the document properties window and also appears when sending the document by email.
When determining the appropriate level for information, consider how damage to the national security could occur from its disclosure. The damage levels of Confiential, Secret and Top Secret are estimated to differ by an order of magnitude, meaning that unauthorized disclosure of Secret would cause about ten times the damage as unauthorized disclosure of Confiential information. The imminence of the damage should also be considered as this can help determine the level of protection needed for that information.
In addition to the sensitivity levels, the classified status of information can be further defined by compartmentalization. Usually classified as SAP (Sensitive Access Program), SCI (Sensitive Compartmented Information) or TS/SCI (Top Secret – Sensitive Compartmented Info), specific compartmented programs require heightened security measures such as no lone zone rules for nuclear weapons. This method of segregation is also found for some high risk IC/IS activities within the Department, for example, in the case of the fusion research program.
Data owners and custodians are responsible for setting the correct security classifications and levels on all data they own or control. They should communicate the appropriate classifications to all University community members and follow the required security controls for that level of protection (see Administrative Policy: Information Security). For example, High Risk information must be carefully safe-guarded and only accessible to those with a documented business need.
In some cases, this may also include following data use agreements or other documentation. This is an important requirement to meet state and federal laws and regulations, as well as any specific contractual requirements. It is a good practice to find alternative ways to work with classified data wherever possible.
Information is classified because it needs protection against unauthorized disclosure. This is primarily because it might endanger national security. Different countries have slightly different classification systems, but all have categories that are based on the damage to national security the information might cause in the wrong hands.
Classifications that are designed to protect against specific types of harm include compartmented constraints on access, such as No Foreign dissemination (NFO), Originator Controlled Dissemination (OrCon) and Special Intelligence. Other markings are also used, such as Security Vetting – In Confidence and Sensitive, which are intended to protect information of a policy or privacy nature.
The original decision to classify is made when the information first becomes classified. However, a number of other factors can affect whether or not the classification remains appropriate. These are often reflected in the guidance contained within an agency’s SCG.
For example, it might be considered inappropriate to assign a Top Secret classification level to information that is expected to be given to many people because the probability of unauthorized disclosure will increase with the number of people who know it. In this case the classification would probably be revised to Secret.
Another factor is the amount of effort that would need to be expended to obtain the information from its source. Information that can easily be acquired without much effort from public sources might not require a high level of protection and may instead be classified as Confidential. This might include intelligence and investigation data relating to individuals of interest to security agencies or to the ability to investigate serious organised crime.
The impact of unauthorized disclosure on an individual might also be a factor in the determination of its classification level. While the unauthorized release of confidential information might have minimal effect on an organisation, it is likely to have significant personal consequences for the individuals involved. In some cases this may be sufficient to justify a higher protection level than Confidential.
If there is substantial doubt about the appropriateness of a classification level, a formal challenge should be raised with the relevant agency. In the interim, an informal classification challenge could be raised by asking for a second opinion from a colleague with a clearance for that category of information or the Information Security Office.
Data classification is used by companies to better understand the sensitivity of their stored information and to build security systems that follow strict compliance guidelines and optimize data privacy, security, and protection.
This includes determining who should be authorized to access that data, and what protection policies are applicable for storing, transmitting, and retaining it. It is also important to classify information in order to know what types of regulatory standards should apply to that information.
Aside from the statutory requirements of Executive Order 13526, the Information Security Oversight Office (ISOO) sets and maintains policy for the classification of records at the national level, including a system of declassification review under which classified records can be reviewed and, where appropriate, unclassified. This process is managed by the Information Security Classification Appeals Panel under the supervision of the ISOO Director.
The definition of information in EO 13526 is quite broad and can include any tangible or intangible medium such as a document, instrument, apparatus, model, film, recording, or other physical object. It can also include information that must be protected against unauthorized disclosure in the interest of the national defense or foreign relations of the United States. This information must be marked by stamping, tagging, or other means to signify its classification level.
There are two types of classification: original and derivative. Original classification occurs when a new piece of information is developed that intrinsically meets the criteria for its classification. Derivative classification occurs when a new piece of information, such as an excerpt from a previously classified source, is incorporated into another document. The information that is incorporated must be evaluated against the original classification guidance, such as an SCG, in order to determine whether it should be classified as well.
If a clearance holder finds substantial cause for doubt that a piece of information is appropriately classified, thehuffpost.co.uk can initiate a formal classification challenge. This should be initiated as soon as possible to avoid delay in the processing of that information. In the meantime, the information should be safeguarded as if it were classified pending a decision.