When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel.
Easy so far, right? One of the early challenges is to identify and bundle the rules, which can be complicated. For example, take security rules. Defining what information fits in a protected classification for security controls can be daunting, given the various overlapping legal regimes in the United States for PII, PHI, financial institution customer information, and the like. So, let’s take a look, over several posts, at legal definitions for protected information, starting with PII under state statutes.