Discordian Cybersecurity

Home Manifesto ISMS Classification

🏷️ The Five Levels of Actually Giving a Damn: Think For Yourself: Classification Beyond Compliance Theater

The Five-Level Problem With Most Classification Systems

Most organizations approach data classification with one of two extremes:

Extreme 1: Everything Is Secret

"This email about lunch plans? CONFIDENTIAL. The office wifi password? TOP SECRET. The coffee machine manual? CLASSIFIED."

Result: Security theater. Nobody takes classification seriously because everything is "sensitive."

Extreme 2: Nothing Is Sensitive

"Our customer database? Just data. Financial records? Public anyway. Source code? Who cares?"

Result: Security negligence. When everything is unclassified, actual sensitive data gets leaked.

Both approaches fail. The first creates information hoarding that destroys productivity. The second creates information leakage that destroys trust.

We need a balanced classification framework based on actual risk, not fear or laziness.

The Five Levels: From Public to Extreme

The Law of Fives demands exactly five classification levels. Not three (too simple), not seven (too complex). Five.

Each level is defined by the impact of unauthorized disclosure, modification, or unavailability. Not by vague feelings or organizational politics.

LevelImpact If CompromisedExamplesDefault Access
1. PublicNo impact—already publicMarketing materials, published policies, public documentationEveryone (including external)
2. InternalMinor inconvenienceInternal procedures, team documentation, non-sensitive metricsAll employees
3. ConfidentialModerate business impactBusiness strategies, financial forecasts, customer listsNeed-to-know basis
4. SecretSerious business harmCustomer data, financial records, strategic plans, source codeSpecific roles only
5. ExtremeExistential threatCredentials, encryption keys, security vulnerabilities, legal casesMinimal access, time-limited

Note how "Extreme" is reserved for actual existential threats—not arbitrary sensitivity. Most data should be Internal or Confidential.

The CIA Triad: Three Dimensions of Classification

Classification isn't just about confidentiality. The CIA Triad demands we consider all three dimensions:

🔒 Confidentiality

Question: What happens if unauthorized people see this data?

Impact Levels:

  • Public: No impact—already public
  • Internal: Minor embarrassment, no competitive harm
  • Confidential: Competitive disadvantage, customer concern
  • Secret: Regulatory violations, significant financial loss
  • Extreme: Company-ending breach, criminal liability

✓ Integrity

Question: What happens if this data is modified incorrectly?

Impact Levels:

  • Public: Minor correction needed
  • Internal: Work disruption, rework required
  • Confidential: Incorrect business decisions
  • Secret: Compliance violations, financial reporting errors
  • Extreme: System compromise, legal liability

⏱️ Availability

Question: What happens if we can't access this data?

Impact Levels:

  • Public: Minor inconvenience
  • Internal: Productivity loss, can work around
  • Confidential: Business operations disrupted
  • Secret: Revenue loss, customer impact
  • Extreme: Business cannot function, emergency situation

Key Insight: Data can have different classifications for each CIA dimension. Your marketing website might be:

  • Confidentiality: Public (already visible to everyone)
  • Integrity: Confidential (unauthorized changes would damage brand)
  • Availability: Secret (downtime directly costs revenue)

See our full Classification Framework for detailed examples.

Five Common Classification Mistakes

1. Over-Classification (Security Theater)

Symptom: Everything marked "Confidential" or higher, including the lunch menu.

Problem: When everything is sensitive, nothing is. People ignore classifications and share freely anyway because they need to get work done.

Fix: Default to Internal. Upgrade only when specific impact justifies it.

Hidden Wisdom: If your coffee machine manual is classified, you're not doing security—you're doing paranoia theater.

2. Under-Classification (Negligence)

Symptom: Customer data marked "Internal," credentials pasted in wikis, secrets in Slack.

Problem: Actual sensitive data gets leaked because nobody treats it carefully enough.

Fix: Classify based on worst-case impact, not what's convenient for sharing.

Hidden Wisdom: "It's fine, it's just internal" are famous last words before a breach.

3. Ignoring Availability (The Forgotten Dimension)

Symptom: Focus only on confidentiality, ignore uptime requirements until systems are down.

Problem: Critical systems have inadequate backups and recovery plans. You discover this during the outage.

Fix: Classify availability separately. Your public website needs high availability even if confidentiality is "Public."

Hidden Wisdom: Uptime isn't sexy, but neither is explaining to customers why they can't access your service.

4. Ignoring Integrity (Silent Corruption)

Symptom: Anyone can modify critical data, no audit logs, no version control.

Problem: Data corruption leads to incorrect decisions, compliance violations, and expensive mistakes.

Fix: Classify integrity separately. Financial data needs high integrity even if it's not particularly confidential internally.

Hidden Wisdom: Wrong data is worse than no data—at least with no data you know you don't know.

5. Static Classification (Set and Forget)

Symptom: Classification set once during project kickoff, never reviewed again.

Problem: Data sensitivity changes. Old projects become public, new features become secrets, and your classifications are outdated.

Fix: Review classifications regularly. Downgrade when appropriate—security that blocks innovation is just expensive bureaucracy.

Hidden Wisdom: Classification isn't permanent—it's risk management, and risk changes over time.

Handling Requirements: What Each Level Actually Means

Classification without handling requirements is useless. Here's what each level means in practice:

🌐 Public (Level 1)

  • Storage: Anywhere, including public repositories
  • Transmission: Unencrypted is acceptable (but HTTPS preferred)
  • Access: No restrictions
  • Disposal: Normal deletion
  • Example: This blog post, marketing materials, published policies

📁 Internal (Level 2)

  • Storage: Company systems only, basic access controls
  • Transmission: HTTPS/TLS required
  • Access: All employees by default
  • Disposal: Normal deletion (no special requirements)
  • Example: Team documentation, internal procedures, meeting notes

🔐 Confidential (Level 3)

  • Storage: Encrypted at rest, access controls required
  • Transmission: TLS 1.2+ with strong ciphers
  • Access: Need-to-know basis, role-based access control
  • Disposal: Secure deletion, overwrite data
  • Example: Business strategies, customer lists, financial forecasts

🔒 Secret (Level 4)

  • Storage: Encrypted at rest, HSM/Key Vault for keys
  • Transmission: TLS 1.3, mutual authentication where possible
  • Access: Specific roles only, MFA required, audit logging
  • Disposal: Cryptographic erasure, physical destruction of media
  • Example: Customer data (GDPR), financial records, source code, strategic plans

⚡ Extreme (Level 5)

  • Storage: HSM only, hardware-backed encryption, air-gapped where appropriate
  • Transmission: End-to-end encryption, out-of-band key exchange
  • Access: Minimal personnel, time-limited access, continuous monitoring
  • Disposal: HSM key destruction, physical media destruction with certificate
  • Example: Master encryption keys, root credentials, active security vulnerabilities

The Business Case: Classification Enables Value

Good classification isn't just security compliance—it enables business value:

💡 Innovation Enablement

Clear classification lets teams work with appropriate data without excessive restrictions. Public and Internal data can flow freely—enabling collaboration.

Value: Faster development, better collaboration, reduced friction.

🤝 Customer Trust

Demonstrable data classification shows customers you take their data seriously. It's not theater—it's verifiable protection.

Value: Competitive advantage, customer confidence, easier sales.

⚖️ Compliance Efficiency

GDPR, HIPAA, SOC2 all require data classification. Having it means compliance is documentation, not investigation.

Value: Faster certifications, reduced audit costs, lower compliance overhead.

🛡️ Focused Security Spending

Invest security resources where they matter. Extreme protection for Extreme data. Basic controls for Internal data.

Value: Better security ROI, reduced waste, appropriate risk management.

📊 Informed Decisions

Clear classification enables better risk decisions. Teams know the impact of data loss and can make appropriate tradeoffs.

Value: Better risk management, informed tradeoffs, strategic clarity.

Our Approach: Transparent Classification

At Hack23, our Classification Framework is public. Why?

  1. Accountability: You can verify we follow our own rules
  2. Trust: No security through obscurity—our process is open to scrutiny
  3. Education: Others can learn from and improve our approach
  4. Compliance: Auditors and customers can see our classification methodology
  5. Efficiency: Clear rules mean faster decisions and less guesswork

Our classification decisions are based on measurable impact, not organizational politics or vague feelings. Each classification includes:

  • Impact Assessment: What happens if confidentiality/integrity/availability is compromised?
  • Handling Requirements: Specific technical and procedural controls
  • Access Policies: Who needs access and why?
  • Review Schedule: When to reassess classification

See the full framework for detailed examples and templates.

The Bottom Line: Classify Based on Reality, Not Fear or Laziness

  1. Use exactly five levels—Public, Internal, Confidential, Secret, Extreme (the Law of Fives demands it)
  2. Consider the CIA Triad separately—a single piece of data can have different classifications for confidentiality, integrity, and availability
  3. Base classifications on actual impact—what happens if it's compromised, not vague feelings of "sensitivity"
  4. Enable business, don't block it—security that prevents work from happening is just expensive obstruction
  5. Be radically transparent—publish your framework, let people audit it, accept the scrutiny

Classification done right is security that enables business value—teams can work with appropriate data without excessive restrictions. Classification done wrong is either useless paranoia that labels everything secret, or negligent exposure that classifies nothing.

All hail Eris! And remember: The bureaucracy is expanding to meet the needs of the expanding bureaucracy. Don't let classification become bureaucratic theater where everything is "Confidential" just to be safe.

Final Hidden Wisdom: The coffee machine manual is not classified. If you think it is, you've already lost the plot.

— Hagbard Celine
Captain of the Leif Erikson
Product Owner, Hack23 AB

"Think for yourself, schmuck!"