Dr. Mann here. For those of you who don't know, in real life I work in the United States intelligence community (nothing terribly exciting or interesting, mind). I thought I'd share some (unclassified) bits from that. This is going to be more about basic philosophy and doctrine than anything else (for obvious reasons). If you have any questions regarding specific practices in the intelligence community, please direct your questions to the NSA. I'm sure they'd love to talk to you.
Now, first off, there are two factors on whether or not you have access to classified information. The first, and the one you're familiar with, is your clearance. So, if the information is classified Secret, and you're only cleared up to Confidential, you're not getting a peek until that changes (except in extraordinary circumstances; and that entails a lot of paperwork afterwards). The second is need-to-know. You've probably heard the phrase. What it means is that, while you might have the clearance to access a document, if you aren't considered to have a need-to-know, you don't get access to it. For example, I have a Top Secret clearance. That's the highest actual classification. But that doesn't mean I can just go waltzing into a secured facility and go rummaging through their documents to see what I might see. I'm generally limited to information that directly relates to my job.
Now, there's another aspect to the way classified information is handled. Categories of classified information are placed into special access programs. Getting access to one of these will generally require a separate briefing (and maybe even another background check, on top of the one you got to receive your clearance) to access that information. For example, let's say you were working on a warblimp. Now, most people only know that your warblimp can detect the presence of trebuchets. However, the way it detects trebuchets is Top Secret. As well, unbeknownst to anyone else, your warblimp is also capable of finding enemy marmots. It's obviously important to keep that information secret, so that the enemy doesn't suspect you're using their marmots to find them. So, your warblimp's capabilities become part of a special access program. To be able to access it, you have to be read into the program for that warblimp's program. Security programs have names, generally ones that have nothing to do with their actual function (just like code names for missions and the like) Once you're read into Pop Magic, you can learn what the warblimp is capable of, vital in doing your duty to defend the homeland from marmots.
Then there's what we call OPSEC, or Operations Security. OPSEC is taking care not to let the enemy get too much information. Even non-classified information can be harmful. For example, when I deploy, I'm not going to be giving much notice. It's not classified, but it could be useful to an enemy. Also, even unclassified details about a weapons platform (like a plane or a ship) can give the enemy more information than we want him to have. A pilot got in trouble a few years for talking about his flights on the F-23. The information was unclassified, but it was still information we'd prefer remained with us. Private Snafu can give us a look at how these little details can come together for the enemy.
So, let's think about how this would work with the Foundation. Well, first off, talking about anything Foundation related would be both poor OPSEC and likely a breach of classified information. You can see how that goes. Even relatively harmless details ("Oh, Istanbul? I'm heading there next week. Why? Oh, just business stuff.") can be harmful in the right hands. Say the CI has figured out that you're a researcher for the Foundation. Now they know the Foundation is operating in Istanbul (but not Constantinople; that would be silly). I imagine when Agents go out drinking, they go in groups. That way, if someone screws up and starts talking about the wrong things, the others can shut him up and get him home.
For classification levels, I imagine they'd simply use the security levels. Basic information about the Foundation would be at security level 1, moving up until you reached level four. In addition, there would be different programs and types of classified information. A particular SCP might even have its own security program, or they might have a program for a broad type of SCPs ("Now you've been read into Stormy Weather, our anomalous infections program."). You'd be read into whatever programs related to your job. If you were in charge of computer systems, you would only be read into those programs related to Foundation computer security. You wouldn't be read into Unmitigated Warrior, SCP-098's security program.
Information on the capacities of the CI, GOC, and other such groups would be limited to those who actually deal with them. Others might get a general security brief on where they're operating, and some of the general hazards, but they wouldn't need to know that the CI's purchased a T-55. After all, if that gets back to the CI, they're going to wonder how we knew about the tank, and maybe find out that Sub-Commander Biff isn't as loyal to them as they thought, which costs us that channel of information.
Now, you're welcome to ignore as much of this as you like. There's no canon. Certainly, I don't really advise you to make all the code names random (I love me some MTF names). But I advise you, when you write a story, to at least think about whether or not your character needs to know about something. If it's vital to the story, then by all means carry on. But if you can work it in another way, why not try? It could make for a more interesting complication in the story. A character going after something they know intimately is a lot less dramatic than a character going after something they know nothing about (because no one expected them to encounter it, and they didn't have need-to-know). And hey, sometimes having the characters jump through the proper hoops can make a story feel more real (though not, of course, to the point where it bogs down the story).
Anyway, I hope people find this helpful.