Example Completed Data Classification Table

Labeling data is a critical activity within certain frameworks, such as ISO 27001. However, these frameworks usually leave it up to an individual organization on “how” exactly data should be labeled. Within Drata’s Data Classification Policy template, we provide a table to develop your strategy for labeling data. Each type of data is contained in a row of the table in bold text. Each column of that row will be the classification level for each type of data. The first row of a data type lists out what specific controls must be in place for a given data type and data classification level. The next row will be for defining how you intend to apply labels to a given data type at each level of classification.

For example, Email is broken up into four classification levels: Restricted, Confidential, Internal Use, and Public. In the labeling row under Email, you would define the label you want to apply when emails contain specific types of data:

Emails containing Restricted Data: ““Restricted” must appear in the Subject Line of the email.”
Emails containing Confidential Data: ““Confidential” must appear in the Subject Line of the email.”
Emails containing Internal Use Data or Public Information: “No Label Required.”

You are not required to apply a label at every level of data classification or even for every type of data. For example, the first row of the NDA data type explains which classification levels require an NDA and who must sign an NDA. Likely, you only have one relevant non-disclosure agreement. Because of this, labeling is not required for the NDA data type. To illustrate this in the table below, the labeling row has been changed to “No Label Required” for the NDA data type.

While you may choose to not label specific data types, you do have to define your approach to labeling and define the types/classifications of data you want to apply data labels to. To assist with this, we have provided an example of how to complete this table below. This is an example for illustrative purposes only, you may elect to apply labels in a different way or apply labels to more or less of the types and classifications of data than we have in this example.

Note: Additionally, labeling is not required for SOC 2. If you are only working towards SOC 2, you may choose to delete the labeling rows entirely.

HANDLING CONTROLS PER DATA CLASSIFICATION

Handling Controls	Restricted	Confidential	Internal Use	Public
Non-Disclosure Agreement (NDA)	Required prior to access by non-[COMPANY NAME] employees	Recommended prior to access by non-[COMPANY NAME] employees	Not Required	Not Required
Labeling	No Label Required	No Label Required	No Label Required	No Label Required
Internal Network Transmission (wired & wireless)	Encryption Required Instant Messaging Prohibited FTP Prohibited	Encryption Recommended Instant Messaging Prohibited FTP Prohibited	No Requirements	No Requirements
Labeling	No Label Required	No Label Required	No Label Required	No Label Required
External Network Transmission (wired & wireless)	Encryption Required Instant Messaging Prohibited FTP Prohibited Remote Access if Necessary (only with VPN and two-factor authorization when possible)	Encryption Required Instant Messaging Prohibited FTP Prohibited	Encryption Recommended Instant Messaging Prohibited FTP Prohibited	No special requirements
Labeling	Content of the message must indicate that it contains Restricted information and is not to be shared.	Content of the message must indicate that it contains Confidential information and may only be shared with authorized recipients.	Content of the message must indicate that it contains Internal Use information and may only be shared with personnel of <Company Name> or authorized recipients.	No Label Required
Data at Rest (file servers, databases, archives, etc.)	Encryption Required Logical Access Controls Required (Limit Unauthorized Use) Physical Access Restricted to Specific Individuals	Encryption Recommended Logical Access Controls Required (Limit Unauthorized Use) Physical Access Restricted to Specific groups	Encryption Recommended Logical Access Controls Required (Limit Unauthorized Use) Physical Access Restricted to Specific groups	Logical Access Controls Required (Limit Unauthorized Use) Physical Access Restricted to Specific groups
Labeling	Asset Inventory must label the resource as “Restricted”.	Asset Inventory must label the resource as “Confidential”.	Asset Inventory must label the resource as “Internal Use”.	Asset Inventory must label the resource as “Public”.
Mobile Devices (iPhone, iPad, USB Drive, etc.)	Encryption Required Remote Wipe Enablement Required, if possible	Encryption Required Remote Wipe Enablement Required, if possible	Encryption Recommended Remote Wipe Enablement Recommended, if possible	No Requirements
Labeling	Must have a physical asset tag indicating the asset ID and the statement “Property of <Company Name>.” Asset Inventory must label the resource as “Restricted”.	Asset Inventory must label the resource as “Confidential”.	Asset Inventory must label the resource as “Internal Use”.	No Label Required
Email (with and without attachments)	Encryption Required Do Not Forward	Encryption Recommended Do not Forward	Encryption Recommended Do Not Forward	No Requirements
Labeling	“Restricted” must appear in the Subject Line of the email.	“Confidential” must appear in the Subject Line of the email.	No Label Required	No Label Required
Physical Mail	Mark "Open by Addressee Only" Use Courier or "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings	Mark "Open by Addressee Only" Use "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings	Mail with Company Interoffice Mail US Mail or Other Public Delivery Systems	No Requirements
Labeling	Mark “Open by Addressee Only”.	Mark “Open by Addressee Only”.	No Label Required	No Label Required