The following article contains guidance explaining portions of the Data Classification Policy that we frequently see questions around, explaining what the sections mean.

Guidance statements will appear in bold and enclosed in brackets “[]” below the statements of the policy.

______________________________________________________________________

This policy will assist employees and other third-parties with understanding [COMPANY NAME]’s information labeling and handling guidelines. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect sensitive or confidential information (e.g., company confidential information should not be left unattended in conference rooms).

This policy applies to all information owned, managed, controlled, or maintained by [COMPANY NAME] Information covered in this policy includes, but is not limited to, information that is received, stored, processed, or transmitted via any means. This includes electronic, hardcopy, and any other form of information regardless of the media on which it resides.

<ROLES AND RESPONSIBILITIES>

[Additional guidance on what roles and responsibilities to list in this policy can be found here: https://help.drata.com/en/articles/5829670-roles-and-responsibilities-guidance. To use that article, you should list the answer to each question here as a role. For example: “Who is responsible for updating, reviewing, and maintaining this policy?” may become “The CISO is responsible for updating, reviewing, and maintaining this policy.”]

[If you adjust the names of the data classification levels, you should update these definitions accordingly.]

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to [COMPANY NAME] should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of the three following classifications.

[If you change the levels of classification, you may need to adjust this portion of the above paragraph “...one of the three following classifications.” This section just details that data will be classified based on its importance which determines the level of security to be applied.]

Data should be classified as Restricted or Confidential when the unauthorized disclosure, alteration, or destruction of that data could cause a serious or significant level of risk to [COMPANY NAME] or its customers. Examples of sensitive data include data protected by state or federal privacy regulations (e.g. PHI & PII) and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted and Confidential Data:

[You may change who authorized these disclosures to replace the Security Officer, but there should be some level of authorization prior to disclosing your most sensitive classifications of data.]

[This section can be edited if you choose to add or remove data classification levels. But this section is explaining that the most sensitive data has the most security controls applied to it.]

Data should be classified as Internal Use when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to [COMPANY NAME] or its customers. This includes proprietary, ethical, or privacy considerations. Data must be protected from unauthorized access, modification, transmission, storage or other use. This applies even though there may not be a civil statute requiring this protection. Internal Use Data is restricted to personnel who have a legitimate reason to access it. By default, all data that is not explicitly classified as Restricted/Confidential or Public data should be treated as Internal Use data. A reasonable level of security controls should be applied to Internal Use Data.

[This section can be edited if you choose to add or remove data classification levels. Internal Use Data is listed as the default sensitivity level all unlabeled data is classified as, if you change data classification levels, you should still maintain a level of sensitivity which all data without an explicit label is classified as.]

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to [COMPANY NAME] and its customers. It is further defined as information with no existing local, national, or international legal restrictions on access or usage. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized alteration or destruction of Public Data.

[This section can be edited if you choose to add or remove data classification levels. You should still have a classification level for data which only requires a small number of controls protecting it.]

[COMPANY NAME] will de-identify data as a tool to remove personal information from data that it collects, uses, archives, and shares with other organizations. The de-identification process will allow the removal of direct identifiers, including all unique identifying numbers, characteristics, or codes. If a data set contains any amount or type of personal information, it will not be considered de-identified.

[This section is just explaining that when sharing data externally with other organizations, any information which may identify the customer will be removed prior to sharing that data with the external organizations.]

The goal of information security, as stated in the Information Security Policy, is to protect the confidentiality, integrity, and availability of Corporate and Customer Data. Data classification reflects the level of impact to [COMPANY NAME] if confidentiality, integrity, or availability is compromised.

If a classification is not inherently obvious, consider each security objective using the following table as a guide. All data will be assigned one of the following four sensitivity levels.

CLASSIFICATION LEVELS

[These levels can be adjusted as needed, they should however be based on the impact of their unauthorized disclosure as indicated by the column on the right.]

HANDLING CONTROLS PER DATA CLASSIFICATION

[​​For the labeling rows, those are the labels you want to apply to different types of data at different sensitivity/classification levels. Each labeling row will apply to each data type and classification level. And in those rows, you write how you want to label each particular type/classification of data. So Email would have 4 cells/values for Restricted, Confidential, Internal Use, and Public.

So for Restricted Email you may write: "Restricted must appear in the Subject Line of the email"

Confidential Email may have: "Confidential must appear in the Subject Line of the email"

Internal Use and Public may be listed as "No label applied"

You don't have to apply labels to every type of data and classification level, so you may not apply labels to Network Transmissions for example.

For the NDAs, the handling controls are more towards when an NDA is required (prior to handling confidential or restricted data) but you may want to apply a separate label to different types of NDAs. If you only have a single NDA though, it may be irrelevant.]