Let’s put a first cat among the pigeons: Let’s speak about the categorization of information
We agree that the categorization of information is the fact of evaluating information, that is to say giving a value to information on a pre-established scale of measurement and according to security criteria. The measurement scale depends on the organization and can be inspired by industry standards (NIST, FIPS…). However, one thing remains: The value of information to an entity depends on the impact the entity would suffer if the security criteria for that information were compromised. We therefore know, for example, which information is very important, moderately important, less important or not important. We use general vocabulary here. But each organization adopts its own vocabulary to prioritize information relating to security attributes and taking into account the specificity of the organization.
First cat: A categorization should not lead directly to the definition of security measures as we sometimes see, unfortunately. Unless a risk matrix has shown that for a given value of the information, the entity incurs a risk of a certain severity regardless of the risk scenarios and regardless of the context.
Let’s dare two analogies: Analogy number one: If a person has in his possession an object of great value, a diamond for example. In any circumstance, should he put this diamond in a safe from thieves? If this person is alone on a desert island, is it necessary for him to put his diamond in a safe which, moreover, costs a non-negligible part of the value of the diamond? Analogy number two: To protect his health, should a person automatically take medication without even having had a health checkup on the pretext that his health is of great value to him?
What do these two analogies show? They show that it is not only the value of the asset that determines the protections to be provided to the said asset. To determine the protection to be provided, a risk analysis is necessary, however brief. The risk analysis which in Analogy number One above would have consisted of identifying threats and taking into account the environmental context to put it simply and in Analogy number Two would have consisted of a health check.