Eric Osterhold authored a Blog Post entitled "Establishing classification types without going overboard". Eric states: "I’ve found that creating too many levels for classifying data defeats the process - users will not use a system with 6 or even 5 different classification levels. I often propose establishing 3 levels". He goes on to name "Restricted", "Sensitive" and "Public". Is this really enough?

While it definitely is a reasonable first step in order to manage information for data security purposes, it clearly is insufficient for implementing a broader information management initiative.

Why is that? Well, within an organization, there are many constituents – each of whom has a different objective for effectively managing information:

• Compliance Officer/Records Information Manager
– Needs to comply with government and corporate regulations for retention and access

• Legal Counsel
– Needs to find the right information at the right time for legal and patent issues

• Security Officer
– Needs to manage enterprise-wide information security and risk (for access control, encryption, digital rights management)

• Chief Risk Officer
– Needs to address corporate risk management

• Senior IT Management
– Needs to optimize storage costs

• Business Users
– Needs to locate information

Because of these disparate needs, a single classification will not be sufficient to effectively manage information across all stakeholders.

And this is why most information management initiatives fall short. Because one size does not fit all.



Post a Comment

0 comments: