Skip to main content
All CollectionsGRC Best Practices
Example Completed Data Classification Table
Example Completed Data Classification Table
Updated over a year ago

Labeling data is a critical activity within certain frameworks, such as ISO 27001. However, these frameworks usually leave it up to an individual organization on “how” exactly data should be labeled. Within Drata’s Data Classification Policy template, we provide a table to develop your strategy for labeling data. Each type of data is contained in a row of the table in bold text. Each column of that row will be the classification level for each type of data. The first row of a data type lists out what specific controls must be in place for a given data type and data classification level. The next row will be for defining how you intend to apply labels to a given data type at each level of classification.

For example, Email is broken up into four classification levels: Restricted, Confidential, Internal Use, and Public. In the labeling row under Email, you would define the label you want to apply when emails contain specific types of data:

  • Emails containing Restricted Data: ““Restricted” must appear in the Subject Line of the email.”

  • Emails containing Confidential Data: ““Confidential” must appear in the Subject Line of the email.”

  • Emails containing Internal Use Data or Public Information: “No Label Required.”

You are not required to apply a label at every level of data classification or even for every type of data. For example, the first row of the NDA data type explains which classification levels require an NDA and who must sign an NDA. Likely, you only have one relevant non-disclosure agreement. Because of this, labeling is not required for the NDA data type. To illustrate this in the table below, the labeling row has been changed to “No Label Required” for the NDA data type.

While you may choose to not label specific data types, you do have to define your approach to labeling and define the types/classifications of data you want to apply data labels to. To assist with this, we have provided an example of how to complete this table below. This is an example for illustrative purposes only, you may elect to apply labels in a different way or apply labels to more or less of the types and classifications of data than we have in this example.

Note: Additionally, labeling is not required for SOC 2. If you are only working towards SOC 2, you may choose to delete the labeling rows entirely.

HANDLING CONTROLS PER DATA CLASSIFICATION

Handling Controls

Restricted

Confidential

Internal Use

Public

Non-Disclosure Agreement (NDA)

Required prior to access by non-[COMPANY NAME] employees

Recommended prior to access by non-[COMPANY NAME] employees

Not Required

Not Required

Labeling

No Label Required

No Label Required

No Label Required

No Label Required

Internal Network Transmission (wired & wireless)

  • Encryption Required

  • Instant Messaging Prohibited

  • FTP Prohibited

  • Encryption Recommended

  • Instant Messaging Prohibited

  • FTP Prohibited

  • No Requirements

  • No Requirements

Labeling

No Label Required

No Label Required

No Label Required

No Label Required

External Network Transmission (wired & wireless)

  • Encryption Required

  • Instant Messaging Prohibited

  • FTP Prohibited

  • Remote Access if Necessary (only with VPN and two-factor authorization when possible)

  • Encryption Required

  • Instant Messaging Prohibited

  • FTP Prohibited

  • Encryption Recommended

  • Instant Messaging Prohibited

  • FTP Prohibited

  • No special requirements

Labeling

Content of the message must indicate that it contains Restricted information and is not to be shared.

Content of the message must indicate that it contains Confidential information and may only be shared with authorized recipients.

Content of the message must indicate that it contains Internal Use information and may only be shared with personnel of <Company Name> or authorized recipients.

No Label Required

Data at Rest (file servers, databases, archives, etc.)

  • Encryption Required

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific Individuals

  • Encryption Recommended

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific groups

  • Encryption Recommended

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific groups

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific groups

Labeling

Asset Inventory must label the resource as “Restricted”.

Asset Inventory must label the resource as “Confidential”.

Asset Inventory must label the resource as “Internal Use”.

Asset Inventory must label the resource as “Public”.

Mobile Devices (iPhone, iPad, USB Drive, etc.)

  • Encryption Required

  • Remote Wipe Enablement Required, if possible

  • Encryption Required

  • Remote Wipe Enablement Required, if possible

  • Encryption Recommended

  • Remote Wipe Enablement Recommended, if possible

  • No Requirements

Labeling

Must have a physical asset tag indicating the asset ID and the statement “Property of <Company Name>.”

Asset Inventory must label the resource as “Restricted”.

Asset Inventory must label the resource as “Confidential”.

Asset Inventory must label the resource as “Internal Use”.

No Label Required

Email (with and without attachments)

  • Encryption Required

  • Do Not Forward

  • Encryption Recommended

  • Do not Forward

  • Encryption Recommended

  • Do Not Forward

  • No Requirements

Labeling

“Restricted” must appear in the Subject Line of the email.

“Confidential” must appear in the Subject Line of the email.

No Label Required

No Label Required

Physical Mail

  • Mark "Open by Addressee Only"

  • Use Courier or "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings

  • Mark "Open by Addressee Only"

  • Use "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings

  • Mail with Company Interoffice Mail

  • US Mail or Other Public Delivery Systems

  • No Requirements

Labeling

Mark “Open by Addressee Only”.

Mark “Open by Addressee Only”.

No Label Required

No Label Required

Did this answer your question?