Eric Osterhold authored a Blog Post entitled "Establishing classification types without going overboard". Eric states: "I’ve found that creating too many levels for classifying data defeats the process - users will not use a system with 6 or even 5 different classification levels. I often propose establishing 3 levels". He goes on to name "Restricted", "Sensitive" and "Public". Is this really enough?
While it definitely is a reasonable first step in order to manage information for data security purposes, it clearly is insufficient for implementing a broader information management initiative.
Why is that? Well, within an organization, there are many constituents – each of whom has a different objective for effectively managing information:
• Compliance Officer/Records Information Manager
– Needs to comply with government and corporate regulations for retention and access
• Legal Counsel
– Needs to find the right information at the right time for legal and patent issues
• Security Officer
– Needs to manage enterprise-wide information security and risk (for access control, encryption, digital rights management)
• Chief Risk Officer
– Needs to address corporate risk management
• Senior IT Management
– Needs to optimize storage costs
• Business Users
– Needs to locate information
Because of these disparate needs, a single classification will not be sufficient to effectively manage information across all stakeholders.
And this is why most information management initiatives fall short. Because one size does not fit all.