Document classification and security is an important issue for businesses and governments.
Information is exchanged between users and organizations that collaborate to pursue a business goal. Where sensitive information is involved, it is assumed that the parties will have agreed what information is sensitive and how such information will be identified and handled. Any recipient of a resource will rely upon the provider of the information to follow the agreed procedures to identify the sensitivity of the information.
LibreOffice provides standardized means for such sensitivity information to be expressed and may be used between parties if interoperable systems are to be implemented. It provides a set of standard “fields” that can be used to hold sensitivity information. It does not attempt to define what the contents of these “fields” should be. This approach is an improvement upon the only alternative that exists at the moment, which is for the provider to use an arbitrary means to express sensitivity that may not be useful to a recipient.
While this standard has been developed with the intent that it would be applicable in any domain of activity, LibreOffice retained the aerospace and defense industry nomenclature and categories, where sensitivity marking results from national security, export control and intellectual property policies.
LibreOffice implemented the open standards produced by TSCP (Transglobal Secure Collaboration Participation, Inc.) independent of a specific vendor. Two of them are interesting:
Business Authentication Framework (BAF) specifies how to describe the existing policy (which is probably some legal text) in a machine-readable format.
Business Authorization Identification and Labeling Scheme (BAILS) specifies how to refer to such a BAF policy in a document. The concepts in BAILS are so generic that they can be applied to any format that supports document-level user-defined properties.
The default BAF categories for LibreOffice are listed below.
Only the Intellectual Properties category will modify the layout of the document with a watermark, fields in the header and footer and an information bar on top of the document area. Each item inserted in the document is controlled by the classification configuration file.
Intellectual property is a generic term for the nature of the contents of the document. Select this category for general purpose document classification.
Selects the category of this document for the national security policy type. The selected category is saved together with the document as BAILS metadata in the file properties and no modifications is carried in the document layout or the user interface.
Selects the category of this document for the export control policy type. The selected category is saved together with the document as BAILS metadata in the file properties and no modifications is carried in the document layout or the user interface.
Refer to your corporate data security policy and information security officers for support in document classification.
Default levels of classification
LibreOffice provides default levels of document classification (BAILS) shown below, sorted by increasing level of business sensitivity:
Non-Business: Information in document has no impact in business, if made public.
General Business: Minor impact. Information has impact in business, can generate embarrassments, minor damage in brand image, if made public.
Confidential: Modest impact. Information disclosed can damage business brand, can generate negative media coverage and loss of revenue.
Internal use only: Major damage. Negative national media, lawsuits, fines, long term brand damages.
Customizing classification levels.
LibreOffice allows customization of the levels of classification for your business. To customize the number and the name of the levels, copy the file example.xml located in into a local folder and edit the contents.
Use the file with your LibreOffice locale in the name as example.
Save the file and make the adequate changes to the classification path above to access the file.
Your system administrator can place the file in a network folder and make all users access the classification settings file.
Pasting contents in documents with different levels of classification.
To prevent a breach in the security policy, contents with high classification level pasted to documents with lower classification level are not allowed. LibreOffice will display a warning message wherever it detects that the contents of the clipboard have higher security classification than the target document.
The Classification bar contains tools to help secure document handling.
The Classification toolbar contains listboxes to help in selecting the security of the document, according to the BAF category policy and BAILS levels. LibreOffice will add custom fields in the document properties ( , Custom Properties tab) to store the classification policy as document metadata.