Profitability of organizations is ultimately dependent on the effectiveness with which they exchange, gather, process, retrieve, link, control, share, manage and, above all, protect their data and information. All these processes, however, require that the right information be made available to the right person or persons at the right place and at the right time. Costly lessons learnt with regard to information security controls introduced over the past number of years made it abundantly clear that it was vital, especially in a commercial environment, circumspectly and discreetly to apply countermeasures for the protection of information. A widely used mechanism with which to determine appropriate and effective countermeasures for the protection of information is to classify the said information. Most modern organizations classify their transaction-based data, for example 3, that information generated by orders and invoices, for the purposes of access control. The question that arises, however, is this: How many organizations classify their written communication, i.e. that contained in documents? All the information contained in documents represents the transaction-based data of an organization, and has a far more critical impact on its profitability than any other security factor. This paper has as its object the laying down of guidelines for the security classification of such documents. Documents are, by definition, mostly used as vehicles for the exchange of information not only within, but also between and among organizations. Important fundamentals on which this paper is based are as follows: the security requirements of specific categories of documents, the various processing stages of documents, such as draft and final, and the contents and structure of documents. In addition, the concept of information capability will be introduced. (The term ''information capability'' imports the ''amount'' of information added to the data already contained in a document by means of the structural properties of that document.) The model that will be devised on the strength of this paper will promote the consistent classification of documents and is intended for integration with commercial software products that command document processing capabilities, for example, document management systems and groupware.
[1]
Philip M. Stanley.
Information Systems Security and Fraud Prevention in Office Automation Systems
,
1993,
SEC.
[2]
Charles Cresson Wood.
Effective information security management
,
1991
.
[3]
Günther Krönert.
Wird ODA/ODIF Bürosysteme verändern?
,
1990,
it Inf. Technol..
[4]
Martin Smith.
Document security
,
1992
.
[5]
Frantisek Bumba.
EDI in logistischen Leistungsketten
,
1992,
it Inf. Technol..
[6]
Jan Hruska,et al.
Computer security reference book
,
1992
.
[7]
Hagen K. C. Pfeiffer,et al.
The Diffusion of Electronic Data Interchange
,
1992
.
[8]
Gerard Salton,et al.
Automatic Text Processing: The Transformation, Analysis, and Retrieval of Information by Computer
,
1989
.
[9]
Ravi S. Sandhu,et al.
Lattice-based access control models
,
1993,
Computer.
[10]
T. Daler,et al.
Security of information and data
,
1989
.
[11]
Peter Mertens,et al.
Stufen der Integration von Daten- und Dokumentenverarbeitung - dargestellt am Beispiel eines Maschinenbauunternehmens
,
1994,
Wirtsch..