Skip to main content

Example Completed Data Classification Table

Updated this week

Labeling data is a critical activity within certain frameworks, such as ISO 27001. However, these frameworks usually leave it up to each organization to determine how data should be labeled. Within Drata’s Data Classification Policy template, we provide a table to help you develop your strategy for labeling data. Each type of data is in a bolded row. Each column of that row represents the classification level for that type of data. The first row for a data type lists the specific controls that must be in place for a given data type and classification level. The next row defines how you intend to apply labels to that data type at each classification level.

For example, Email is broken into four classification levels: Restricted, Confidential, Internal Use, and Public. In the labeling row for Email, you would define the label you want to apply when emails contain specific types of data:

  • Emails containing Restricted Data: “Restricted” must appear in the Subject line of the email.

  • Emails containing Confidential Data: “Confidential” must appear in the Subject line of the email.

  • Emails containing Internal Use Data or Public Information: No label required.

You are not required to apply a label at every data classification level or for every data type. For example, the first row for the NDA data type explains which classification levels require an NDA and who must sign it. You likely only have one relevant non-disclosure agreement. Because of this, labeling is not required for the NDA data type. In the table, the labeling row for NDA is set to “No Label Required.”

While you may choose not to label certain data types, you must define your labeling approach and identify the types and classifications of data to which you will apply labels. To assist with this, we have provided an example of a completed table below. This example is for illustrative purposes only. You may choose to apply labels differently or to more or fewer types and classifications of data.

Note: Labeling is not required for SOC 2. If you are only working toward SOC 2, you may delete the labeling rows entirely.

HANDLING CONTROLS PER DATA CLASSIFICATION

Handling Controls

Restricted

Confidential

Internal Use

Public

Non-Disclosure Agreement (NDA)

Required prior to access by non-[COMPANY NAME] employees

Recommended prior to access by non-[COMPANY NAME] employees

Not Required

Not Required

Labeling

No Label Required

No Label Required

No Label Required

No Label Required

Internal Network Transmission (wired & wireless)

  • Encryption Required

  • Instant Messaging Prohibited

  • FTP Prohibited

  • Encryption Recommended

  • Instant Messaging Prohibited

  • FTP Prohibited

  • No Requirements

  • No Requirements

Labeling

No Label Required

No Label Required

No Label Required

No Label Required

External Network Transmission (wired & wireless)

  • Encryption Required

  • Instant Messaging Prohibited

  • FTP Prohibited

  • Remote Access if Necessary (only with VPN and two-factor authorization when possible)

  • Encryption Required

  • Instant Messaging Prohibited

  • FTP Prohibited

  • Encryption Recommended

  • Instant Messaging Prohibited

  • FTP Prohibited

  • No special requirements

Labeling

Content of the message must indicate that it contains Restricted information and is not to be shared.

Content of the message must indicate that it contains Confidential information and may only be shared with authorized recipients.

Content of the message must indicate that it contains Internal Use information and may only be shared with personnel of <Company Name> or authorized recipients.

No Label Required

Data at Rest (file servers, databases, archives, etc.)

  • Encryption Required

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific Individuals

  • Encryption Recommended

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific groups

  • Encryption Recommended

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific groups

  • Logical Access Controls Required (Limit Unauthorized Use)

  • Physical Access Restricted to Specific groups

Labeling

Asset Inventory must label the resource as “Restricted”.

Asset Inventory must label the resource as “Confidential”.

Asset Inventory must label the resource as “Internal Use”.

Asset Inventory must label the resource as “Public”.

Mobile Devices (iPhone, iPad, USB Drive, etc.)

  • Encryption Required

  • Remote Wipe Enablement Required, if possible

  • Encryption Required

  • Remote Wipe Enablement Required, if possible

  • Encryption Recommended

  • Remote Wipe Enablement Recommended, if possible

  • No Requirements

Labeling

Must have a physical asset tag indicating the asset ID and the statement “Property of <Company Name>.”

Asset Inventory must label the resource as “Restricted”.

Asset Inventory must label the resource as “Confidential”.

Asset Inventory must label the resource as “Internal Use”.

No Label Required

Email (with and without attachments)

  • Encryption Required

  • Do Not Forward

  • Encryption Recommended

  • Do not Forward

  • Encryption Recommended

  • Do Not Forward

  • No Requirements

Labeling

“Restricted” must appear in the Subject Line of the email.

“Confidential” must appear in the Subject Line of the email.

No Label Required

No Label Required

Physical Mail

  • Mark "Open by Addressee Only"

  • Use Courier or "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings

  • Mark "Open by Addressee Only"

  • Use "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings

  • Mail with Company Interoffice Mail

  • US Mail or Other Public Delivery Systems

  • No Requirements

Labeling

Mark “Open by Addressee Only”.

Mark “Open by Addressee Only”.

No Label Required

No Label Required

Did this answer your question?