Data Classification Policy

A policy that specifies the required tagging of data stored by a company. This data is usually specific in nature such as PCI data, Health Information, and Personally Identifiable Information. 

If you have ever worked for a large enterprise, you know how daunting it can be to get up to speed on things. Things are often slower, there are more standard processes in place and oftentimes, it’s really boring. With that being the case, the larger the organization becomes, the more data it has. Big Business = Big Data.

To ensure that this information is not lost, it’s important for organizations  to implement data classification and asset mapping at the soonest possible stage. 

What is data classification?

Data classification can be different for organizations. Some organizations will deal with personally identifiable information, whereas others might have protected health information. Depending on the organization and the types of data they are working with, they will need to implement a data classification program. The data classification should be a set of procedures that contain multiple processes.


Acme Corporation is standing up a new database that will handle a large volume of health-protected information. This information contains the patients’ social security number, patient ID, name, and health records. Once this database has been placed into production, it should be tagged within the asset management tool or architecture diagram that this database contains protected health information. Other ways organizations could also classify these types of systems is through an internal classification system that is pertinent to them.

Organizations will classify this information in different ways. If the organization has multiple different compliance objectives this is usually done by segmenting the data and also classifying under the correct compliance framework. This will depend on the companies data classification process.  This also allows organizations to quickly identify the data and where it is located in the event of a data breach.

Types of data classifications

When creating a data classification policy for your organization, it is of course most important to assign the correct classification to information and IT assets. 

Typically, there are four (4) main classifications/groups, based on sensitivity:

  1. Public: Publicly classified information would be information that you would openly share, and would not typically associate any privacy or data leak concerns with. This classification level has the lowest security impact, and would be defined as unclassified data. Examples of such data can include job descriptions and press-release information.
  2. Internal: Internal data has a slightly higher classification level, and simply put, would be restricted to internal employees/staff. Information classified as internal could be a company specific memo or report, or the company’s product or knowledge base information – that the organization would not want the general public having access to.
  3. Confidential: Confidential information is sensitive. Any leak of confidential information to unauthorized parties or organizations could result in an inconvenience, and possible reputational issues, but in most instances – there will not be a financial implication. Information classified as confidential or higher (restricted) is typically data that is protected by compliance regulations and the appropriate processes to ensure this should be defined and enforced.
  4. Restricted: The highest level of classification. A leak of restricted information could have severe financial, reputational, and organizational consequences. Leaks of information of this nature can lead to criminal charges and serious penalties. Therefore, this information must have the strongest security protection enforced. In most cases, restricted information is protected by an NDA to minimize legal risks. Common examples include trade secrets, intellectual property, and organizational development information.