One of the significant aspects of securing information systems is the recognition of the value of information present in information systems within an organization and then setting appropriate procedures and protection requirement for it. Since, different information can differ in their value; therefore require separate level of protection.

This is called security classification of information. The procedure of information classification comprises of several steps. Initially, it is important to identify a member of senior management as the owner of particular information. In the next step, a classification policy is developed which defines various classification labels, as the criteria through which information is filtered into these labels. It further specifies the security controls needed for each of the classification. Some examples of classes in which organization usually categorize information are Public, Sensitive, Restricted and Confidential. Organization impart special training on all their employees as well as business partners in order to make the fully understand the importance and the procedure of classification of information. These classifications are reviewed on constant basis along with the attached security controls to ensure that the information is classified appropriately and that it is given desired level of protection (Sans Institute).

