Data Classification
You must understand the purpose of a data classification scheme, and be familiar with commercial data classification criteria and the government data classification scheme.
Information and data, in all their various forms, are valuable business assets. As with other, more tangible assets, the information’s value determines the level of protection required by the organization. Applying a single protection standard uniformly across all an organization’s assets is neither practical nor desirable.
A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure, as well as determine the appropriate level of protection. Additionally, data classification schemes may be required for regulatory or other legal compliance.
An organization’s employees also need to understand the classification schema being used, how to classify information assets, handling and safeguarding requirements, and proper destruction or disposal procedures.
Commercial data classification
Commercial data classification schemes are typically implemented to protect information that has a monetary value, to comply with applicable laws and protect privacy, and to limit liability. Criteria by which commercial data is classified include
Value: The most common classification criterion in commercial organizations. It’s based on monetary value or some other intrinsic value.
Age/useful life: Information that loses value over time, becomes obsolete or irrelevant, or becomes common/public knowledge is classified this way.
Regulatory requirements: Private information, such as medical records subject to HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act) regulations and educational records subject to the Privacy Act (see Chapter 12), may have legal requirements for protection. Classification of such information may be based not only on compliance but also on liability limits.
Descriptive labels are often applied to company information, such as Confidential and Proprietary and Internal Use Only. However, the organizational requirements for protecting information labeled as such are often not formally defined or are unknown. Organizations should formally identify standard classification levels as well as specific requirements for labeling, handling, storage, and destruction/disposal.
Government data classification
Government data classification schemes are generally implemented to
Protect national interests or security.
Comply with applicable laws.
Protect privacy.
Unclassified
The lowest government data classification level is unclassified. Unclassified information isn’t sensitive, and unauthorized disclosure won’t cause any harm to national security. Unclassified information may include information that was once classified at a higher level but has since been declassified by an appropriate authority. Unclassified information isn’t automatically releasable to the public and may include additional modifiers such as For Official Use Only or For Internal Use Only.
Sensitive but Unclassified (SBU)
Sensitive but Unclassified information is a common modifier of unclassified information. It generally includes information of a private or personal nature. Examples include test questions, disciplinary proceedings, and medical records.
Confidential
Confidential information is information that, if compromised, could cause damage to national security. Confidential information is the lowest level of classified government information.
Secret
Secret information is information that, if compromised, could cause serious damage to national security. Secret information must normally be accounted for throughout its life cycle, all the way to its destruction.
Top Secret
Top Secret information is information that, if compromised, could cause grave damage to national security. Top Secret information may require additional safeguards, such as special designations and handling restrictions.