Classification of Things

Employee round-table discussion
Reading Time: 2 minutes

The Internet of Things (IoT) concept has been around for a while now. Basically, it means that devices of all types are able to communicate using the Internetwork. This communication will, we are told, help with such things as stock control, remote monitoring and location awareness, as well as many other capabilities. However, once our smartphones, cars, fridges and light switches are connected to the Internet, then security becomes a concern.

Consider then how the IoT impacts on information classification methodology and vice versa.

I’ve recently been involved with a project concerning UK Defence companies and how they classify export controlled assets. This project recognises that both electronic, and physical, assets need to be classified so that personnel handling the assets can deal with them appropriately. The proposal for the physical assets is that they are marked (“classified”) with a QR code. QR codes are the square 2d barcodes that may contain some textual information. Personnel can use a barcode reader (or nowadays just a smartphone) to scan the QR code and interpret the text contained within (e.g. “UK Nationals Only”).

It occurred to me that there are many benefits when the physical, and electronic, assets share the same classification system. For example, the electronic assets describing the design of a physical asset could contain the same QR code (e.g. displayed in the header of a document) or at least the same text (“UK Nationals Only”). Further, it would be advantageous if every item concerned with information security is classified in the same way. This includes buildings, networks, servers, electronic records both structured (databases) and unstructured (Office documents), and people.

I call this approach the “Classification of Things (CoT)”.

ISO27001 “Information technology — Security techniques — Information security management systems — Requirements” recommends that all information assets are classified. Other information risk assessment methodologies revolve around the business impact if assets are compromised. Data classification underpins this methodology since you cannot know the impact of a realised threat if you haven’t already classified the asset.

Information Security Management Systems can benefit by taking the “Classification of Things” approach. Indeed, it might be said that this is essential.
So, how does this impact on the Internet of Things? If my fridge is communicating to my supermarket, or my phone is communicating with my car’s satnav system, or my CCTV system is communicating with the Cloud service, then I want to know that all information transferred across these routes is handled in an appropriate way. This not only includes the transfer but also the subsequent storage of the information. Maybe the IoT must use the CoT?

You can find more information about using data classification to support ISO27001 compliance in our whitepaper here.