Data classification is the act of triaging your company’s digitally stored information and assigning the different documents to categories based upon the level of risk your company would be exposed to in the event that any specific document was compromised through unauthorized disclosure, alteration, or destruction.

The break down

Data can be broken down into four categories. In addition to identifying the risk levels of your company’s stored digital information, data classification can also help your company determine how to react in the event that any piece of data was exposed. The data types in order of least to greatest risk level are as follows:

1. Private

Data whose unauthorized disclosure, alteration, or destruction would likely result in only a minimal level of risk to your company should be classified as “private.” Examples of private data include internal SOPs, HR policies, and other internal communications. Data that is suitable for being considered private should meet the following criteria:

• Data is not explicitly assigned to another risk classification.
• Data is not intended for use outside of your company.
• Data contains personal information and is generally related to a specific conversation or communication between two people.

2. Sensitive

Data whose unauthorized disclosure, alteration, or destruction could result in a moderate level of risk to your company or business partners should be identified as “sensitive.” Examples of sensitive data include—but are not limited to—business plans, corporate risk assessments, network assessments, and business continuity plans. Data that meets the following criteria should be classified as sensitive:

• Data is not appropriate for public exposure.
• Data contains IT network information such as server and router configurations.
• Data, if exposed, could necessitate the modification of business operations or application and system configurations.

3. Confidential

Data whose unauthorized disclosure, alteration or destruction could result in a high level of risk to your business, business partners, or clients should be classified as “confidential.” Typically, confidential data types include—but are not limited to—data that contains passwords, financial data, and personally identifiable HR data. Data that meets the following criteria should be treated as confidential data:

• Data is only for designated personnel within your corporation.
• Data is for a specific individual that is a business partner or client of your company.
• Data is sensitive enough to require encryption.

4. Restricted

Data whose unauthorized disclosure, alteration, or destruction will cause a significant level of risk to your corporation, business partners, and clients should always be classified as “restricted.” Restricted data types include—but are not limited to—data that is protected by state or federal privacy regulations and data that is protected by confidentiality agreements. The highest level of security controls should be applied to restricted data. Data that meets the following criteria should be classified as restricted:
- Data is only for designated personnel.
- Data is regulated or legally sensitive.
- Data requires encryption.

Learn more

Depending upon your business’s particular needs, data classification can be as simple as applying a naming scheme to document titles or as complex as creating a comprehensive program that requires different levels of security clearance and credentials to access documents. Of course, most companies’ data classifications needs fall somewhere in between. To learn more about how data classification will help protect your company’s data, please contact All Covered.