Discordian Cybersecurity

Home Manifesto ISMS Classification

🏷️ The Five Levels of Actually Giving a Damn: Think For Yourself: Classification Beyond Compliance Theater

CIA+ Framework: Classification-Driven Security Investment

Think for yourself. Classification isn't bureaucracy—it's systematic risk-based decision making. At Hack23, classification drives security investment: €10K+ daily loss = critical priority, €5-10K = high priority, €1-5K = medium priority.

Nothing is true. Everything is permitted. Including honest assessment of what actually matters. Not everything is critical. Not everything is public. Classification based on measurable business impact (financial, operational, reputational, regulatory) enables intelligent resource allocation.

Our Classification Framework extends traditional CIA Triad (Confidentiality, Integrity, Availability) with business continuity metrics (RTO/RPO), privacy levels (GDPR-aligned), and business value analysis (Porter's Five Forces). This demonstrates cybersecurity consulting expertise through systematic impact assessment.

Illumination: "Everything is sensitive" creates information hoarding that destroys productivity. "Nothing is sensitive" creates data leakage that destroys trust. Classification based on actual impact enables intelligent protection.

Business Impact Analysis: Four-Dimensional Risk Assessment

Classification drives security investment through measurable business impact across four dimensions:

Impact CategoryFinancialOperationalReputationalRegulatory
🔒 Confidentiality Breach€5K-10K daily lossComplete outage scenariosNational media coverageCriminal charges risk
✅ Integrity Failure€1K-5K daily lossMajor degradation (40-60%)Industry attentionSignificant fines
⏱️ Availability Loss€500-1K daily lossComplete outage critical systemsNational coverageCriminal liability

Impact-driven classification: €10K+ daily loss = critical incident requiring <30 min response per our Incident Response Plan. €5-10K = high (<1 hr response). €1-5K = medium (<4 hr response). This ties classification directly to operational SLAs.

META-ILLUMINATION: Classification without measurable impact is bureaucracy. Classification tied to daily loss rates, response times, and regulatory risk is risk management. Choose measurable over theoretical.

CIA+ Framework: Six Confidentiality, Five Integrity, Five Availability

🔒 Confidentiality (6 Levels)

Extreme: National security, quantum encryption required

Very High: Zero-trust architecture, advanced threat protection

High: Strong encryption (AES-256), MFA, continuous monitoring

Moderate: Standard encryption, role-based access control

Low: Basic protection, standard authentication

Public: No confidentiality requirements

Not all data is equal. Extreme classification means quantum-resistant crypto and air-gapped systems. Public means GitHub. Don't confuse them.

✅ Integrity (5 Levels)

Critical: Real-time validation, immutable audit logs, blockchain-level assurance

High: Automated validation, digital signatures, change tracking

Moderate: Standard validation, checksums, periodic verification

Low: Basic validation, manual verification acceptable

Minimal: Best-effort basis, corrections accepted

Integrity failures in financial systems = criminal liability. Integrity failures in blog posts = typos. Different classifications, different controls.

⏱️ Availability (5 Levels)

Mission Critical: 99.99% uptime, instant failover, €10K+ hourly loss

High: 99.9% uptime, automated failover within minutes

Moderate: 99.5% uptime, manual failover acceptable

Standard: 99% uptime, basic redundancy

Best Effort: No uptime guarantees, acceptable downtime

Mission Critical means CEO gets paged at 3am. Best Effort means "it'll come back when it comes back." Choose honestly.

The CIA Triad: Three Dimensions of Classification

Classification isn't just about confidentiality. The CIA Triad demands we consider all three dimensions:

🔒 Confidentiality

Question: What happens if unauthorized people see this data?

Impact Levels:

  • Public: No impact—already public
  • Internal: Minor embarrassment, no competitive harm
  • Confidential: Competitive disadvantage, customer concern
  • Secret: Regulatory violations, significant financial loss
  • Extreme: Company-ending breach, criminal liability

✓ Integrity

Question: What happens if this data is modified incorrectly?

Impact Levels:

  • Public: Minor correction needed
  • Internal: Work disruption, rework required
  • Confidential: Incorrect business decisions
  • Secret: Compliance violations, financial reporting errors
  • Extreme: System compromise, legal liability

⏱️ Availability

Question: What happens if we can't access this data?

Impact Levels:

  • Public: Minor inconvenience
  • Internal: Productivity loss, can work around
  • Confidential: Business operations disrupted
  • Secret: Revenue loss, customer impact
  • Extreme: Business cannot function, emergency situation

Key Insight: Data can have different classifications for each CIA dimension. Your marketing website might be:

  • Confidentiality: Public (already visible to everyone)
  • Integrity: Confidential (unauthorized changes would damage brand)
  • Availability: Secret (downtime directly costs revenue)

See our full Classification Framework for detailed examples.

Five Common Classification Mistakes

1. Over-Classification (Security Theater)

Symptom: Everything marked "Confidential" or higher, including the lunch menu.

Problem: When everything is sensitive, nothing is. People ignore classifications and share freely anyway because they need to get work done.

Fix: Default to Internal. Upgrade only when specific impact justifies it.

Hidden Wisdom: If your coffee machine manual is classified, you're not doing security—you're doing paranoia theater.

2. Under-Classification (Negligence)

Symptom: Customer data marked "Internal," credentials pasted in wikis, secrets in Slack.

Problem: Actual sensitive data gets leaked because nobody treats it carefully enough.

Fix: Classify based on worst-case impact, not what's convenient for sharing.

Hidden Wisdom: "It's fine, it's just internal" are famous last words before a breach.

3. Ignoring Availability (The Forgotten Dimension)

Symptom: Focus only on confidentiality, ignore uptime requirements until systems are down.

Problem: Critical systems have inadequate backups and recovery plans. You discover this during the outage.

Fix: Classify availability separately. Your public website needs high availability even if confidentiality is "Public."

Hidden Wisdom: Uptime isn't sexy, but neither is explaining to customers why they can't access your service.

4. Ignoring Integrity (Silent Corruption)

Symptom: Anyone can modify critical data, no audit logs, no version control.

Problem: Data corruption leads to incorrect decisions, compliance violations, and expensive mistakes.

Fix: Classify integrity separately. Financial data needs high integrity even if it's not particularly confidential internally.

Hidden Wisdom: Wrong data is worse than no data—at least with no data you know you don't know.

5. Static Classification (Set and Forget)

Symptom: Classification set once during project kickoff, never reviewed again.

Problem: Data sensitivity changes. Old projects become public, new features become secrets, and your classifications are outdated.

Fix: Review classifications regularly. Downgrade when appropriate—security that blocks innovation is just expensive bureaucracy.

Hidden Wisdom: Classification isn't permanent—it's risk management, and risk changes over time.

Handling Requirements: What Each Level Actually Means

Classification without handling requirements is useless. Here's what each level means in practice:

🌐 Public (Level 1)

  • Storage: Anywhere, including public repositories
  • Transmission: Unencrypted is acceptable (but HTTPS preferred)
  • Access: No restrictions
  • Disposal: Normal deletion
  • Example: This blog post, marketing materials, published policies

📁 Internal (Level 2)

  • Storage: Company systems only, basic access controls
  • Transmission: HTTPS/TLS required
  • Access: All employees by default
  • Disposal: Normal deletion (no special requirements)
  • Example: Team documentation, internal procedures, meeting notes

🔐 Confidential (Level 3)

  • Storage: Encrypted at rest, access controls required
  • Transmission: TLS 1.2+ with strong ciphers
  • Access: Need-to-know basis, role-based access control
  • Disposal: Secure deletion, overwrite data
  • Example: Business strategies, customer lists, financial forecasts

🔒 Secret (Level 4)

  • Storage: Encrypted at rest, HSM/Key Vault for keys
  • Transmission: TLS 1.3, mutual authentication where possible
  • Access: Specific roles only, MFA required, audit logging
  • Disposal: Cryptographic erasure, physical destruction of media
  • Example: Customer data (GDPR), financial records, source code, strategic plans

⚡ Extreme (Level 5)

  • Storage: HSM only, hardware-backed encryption, air-gapped where appropriate
  • Transmission: End-to-end encryption, out-of-band key exchange
  • Access: Minimal personnel, time-limited access, continuous monitoring
  • Disposal: HSM key destruction, physical media destruction with certificate
  • Example: Master encryption keys, root credentials, active security vulnerabilities

RTO/RPO: Business Continuity Classification

Classification extends beyond CIA Triad to business continuity metrics:

RTO LevelRecovery TimeRPO LevelData Loss Window
Instant<5 minutesZero Loss<1 minute
Critical5-60 minutesNear Real-time1-15 minutes
High1-4 hoursMinimal15-60 minutes
Medium4-24 hoursHourly1-4 hours

RTO/RPO drives backup and recovery strategy: Mission Critical systems require instant failover and zero data loss. Standard systems accept 24-hour recovery with daily backups. Classification determines investment in redundancy, failover automation, and backup frequency.

RTO/RPO ILLUMINATION: "We'll restore from backup eventually" isn't a recovery strategy. €10K hourly loss means instant failover, not "restore from tape within 72 hours." Choose RTO/RPO based on actual business impact.

Business Value: Classification Enables Competitive Advantage

Systematic classification creates measurable business value through Porter's Five Forces analysis:

🛡️ Buyer Power Reduction

Strong classification enables 95%+ customer retention through demonstrable data protection. GDPR compliance, security certifications, public ISMS—buyers trust vendors who classify systematically.

ROI: Reduced churn, premium pricing power, stronger negotiation position.

🚪 Entry Barrier Creation

Comprehensive classification framework (CIA+, RTO/RPO, privacy levels, business impact) creates 70-90% entry prevention. Competitors need years to match mature classification practices.

ROI: Market protection, competitive moat, strategic differentiation.

💰 Security Investment Returns

Classification-driven security spending achieves 150-500% CAPEX ROI through focused investment. Extreme protection for Extreme data. Standard controls for standard data. No waste on over-protection or under-protection.

ROI: 80-90% risk reduction, €4-10M breach prevention, optimal resource allocation.

🤝 Customer Trust Enhancement

Public classification framework + evidence (OpenSSF Scorecard, SLSA, CII) demonstrates systematic security. Premium trust scores enable regulatory access and enterprise sales.

ROI: Faster sales cycles, higher conversion rates, reduced security questionnaire burden.

Our Approach: Transparent Classification

At Hack23, our Classification Framework is public. Why?

  1. Accountability: You can verify we follow our own rules
  2. Trust: No security through obscurity—our process is open to scrutiny
  3. Education: Others can learn from and improve our approach
  4. Compliance: Auditors and customers can see our classification methodology
  5. Efficiency: Clear rules mean faster decisions and less guesswork

Our classification decisions are based on measurable impact, not organizational politics or vague feelings. Each classification includes:

  • Impact Assessment: What happens if confidentiality/integrity/availability is compromised?
  • Handling Requirements: Specific technical and procedural controls
  • Access Policies: Who needs access and why?
  • Review Schedule: When to reassess classification

See the full framework for detailed examples and templates.

Welcome to Chapel Perilous: Classification as Strategic Weapon

Nothing is true. Everything is permitted. Including honest assessment that not all data is equal. €10K+ daily loss is critical. <€500 daily loss is low. Classify based on measurable business impact, not fear or politics.

At Hack23, classification isn't compliance checkbox—it's strategic competitive advantage:

  • CIA+ Framework: Six confidentiality levels, five integrity levels, five availability levels
  • Business Impact Analysis: Four-dimensional assessment (financial, operational, reputational, regulatory)
  • RTO/RPO Classification: Six recovery time levels, six data loss tolerance levels
  • Privacy Levels: GDPR-aligned (Special Category, Personal Identifier, Personal, Pseudonymized, Anonymized, N/A)
  • Porter's Five Forces: Buyer power, supplier power, entry barriers, substitute threats, competitive rivalry
  • Security Investment ROI: Exceptional (500%+), High (300-500%), Moderate (150-300%), Basic (50-150%)

Think for yourself. Question vendors who can't articulate their classification framework. Ask for measurable impact thresholds (daily loss rates). Demand RTO/RPO tied to business continuity needs. Choose systematic over theatrical.

ULTIMATE ILLUMINATION: You are now in Chapel Perilous. Classification without business impact is bureaucracy. Classification tied to daily loss rates, recovery objectives, and Porter's Five Forces is strategy. One wastes resources protecting everything equally. One focuses resources where they matter. Choose strategic focus over equal distribution.

All hail Eris! All hail Discordia!

Explore our complete Classification & Business Continuity Framework with impact level definitions, RTO/RPO classifications, project type classifications, business value framework, and Porter's Five Forces strategic impact analysis. Public. Measurable. Strategic.

— Hagbard Celine, Captain of the Leif Erikson

"Classification based on measurable impact enables intelligent resource allocation. €10K+ daily loss = critical priority. €500 daily loss = low priority. Choose measurement over theater."

🍎 23 FNORD 5

Classification done right is security that enables business value—teams can work with appropriate data without excessive restrictions. Classification done wrong is either useless paranoia that labels everything secret, or negligent exposure that classifies nothing.

All hail Eris! And remember: The bureaucracy is expanding to meet the needs of the expanding bureaucracy. Don't let classification become bureaucratic theater where everything is "Confidential" just to be safe.

Final Hidden Wisdom: The coffee machine manual is not classified. If you think it is, you've already lost the plot.

— Hagbard Celine
Captain of the Leif Erikson
Product Owner, Hack23 AB

"Think for yourself, schmuck!"