Data Classification Policy Template

1. Purpose

Outline the reasoning behind performing data classification and the advantages it brings.

This policy aims to create a structure for categorizing data based on its level of sensitivity, importance, and impact on the organization. The goal is to ensure that both corporate and customer-sensitive information are safeguarded accordingly.

2. Scope

Specify the types of data that need classification and clarify who is accountable for its classification, security, and management.

This policy covers all data formats, whether they are physical documents or digital files on various storage media. It applies to all employees and any third-party agents who have authorized access to the data.

3. Roles and Responsibilities

Clarify the roles and duties involved in the data classification process. Departments must appoint individuals responsible for executing the tasks assigned to each role.

·      Data Owner: A senior management member responsible for the data collected and managed by their department. Their key duties include:

• Reviewing and categorizing collected data.
• Assigning appropriate classification labels based on potential impact.
• Ensuring compiled data adopts the highest classification level among the data involved.
• Coordinating data classification across departments to ensure consistency.
• Ensuring compliance with regulations for high and moderate-impact data (in coordination with data custodians).
• Setting data access guidelines (in partnership with data custodians).

·      Data Custodians: IT personnel or Information Security officers tasked with maintaining and backing up systems, databases, and servers. They are responsible for implementing the security policies set by data owners and ensuring they function correctly. Their responsibilities include:

• Implementing access controls and monitoring for compliance.
• Submitting annual audit reports covering data availability, integrity, and confidentiality.
• Performing regular data backups and validating data integrity.
• Ensuring compliance with security policies related to data protection.
• Monitoring data activity and securely storing sensitive data through encryption.

·      Data Users: Individuals or entities authorized to interact with data to complete specific tasks. They must follow this policy and any other relevant policies that govern data use.

4. Data Classification Procedure

Outline the steps involved in classifying data. Clearly define who is responsible for each stage, how the sensitivity of data is evaluated, and the actions to take when data does not align with predefined categories.

Detailed Procedure Example:

1.    Data owners are responsible for reviewing each dataset they manage and determining its overall impact level by following these steps:

• If the data corresponds to any of the predefined types of restricted information listed in Appendix A, the data owner assigns it a “High” impact level.
• If the data does not align with any of the predefined types, the data owner assesses its type and impact using the guidelines in Sections 5 and 6 of this policy and NIST 800-600 Volume 2. The highest of the three impact levels (confidentiality, integrity, availability) becomes the overall impact level.
• If the data's type or impact level remains unclear, the data owner collaborates with the data custodians to resolve the classification.

2.    Once the overall impact level is determined, the data owner assigns a corresponding classification label:

• High impact: Restricted
• Moderate impact: Confidential
• Low impact: Public

3.    The data owner documents the classification label and overall impact level for each dataset in the official data classification table, which may be recorded in either a database or a physical document.

4.    Data custodians then implement appropriate security measures for each dataset, ensuring it is protected according to its assigned classification label and impact level as outlined in the classification table.

5. Basic Procedure Example:

1.    Data owners categorize each piece of data they oversee using the classifications found in NIST 800-600 Volume 1.

2.    Data owners assign a potential impact level for each dataset based on the three security objectives: confidentiality, integrity, and availability. The highest of these three values is used as the overall impact level.

3.    Based on this overall impact level, the data owner assigns a classification label:

• High impact: Restricted
• Moderate impact: Confidential
• Low impact: Public

4.    The impact level and classification label for each piece of data are recorded in the data classification table.

5.    Data custodians apply the necessary security measures to each dataset in accordance with its classification label and impact level.

5. Data Classification Guideline Example

Develop a table to describe different types of information assets held by the organization, specifying the impact levels and corresponding classification for each asset based on confidentiality, integrity, and availability criteria. See below example:

6. Impact Level Determination

Create a table to help data owners evaluate the impact level of a data asset by identifying the security objectives and the consequences of failing to meet each objective (e.g., confidentiality, integrity, availability).

7. Types of Information That Must Be Classified as "Restricted"

Authentication Information

Authentication information refers to data used to verify the identity of an individual, system, or service. This includes:

• Passwords
• Secret keys used for authentication
• Cryptographic private keys
• Hash tables

Electronic Protected Health Information (ePHI)

ePHI refers to any protected health information (PHI) stored or transmitted electronically. Electronic media covers computer hard drives and portable media like magnetic tapes, optical discs, and digital memory cards.

Transmission involves the exchange of information in digital form, using channels such as the internet, extranets, leased lines, dial-up connections, private networks, or the physical transfer of electronic storage devices.

Payment Card Information (PCI)

Payment Card Information includes a credit card number along with any of the following elements:

• Cardholder's name
• Service code
• Expiration date
• CVC2, CVV2, or CID security codes
• PIN or PIN block
• Information from the credit card’s magnetic stripe

Personally Identifiable Information (PII)

PII consists of an individual’s first name or initial and last name, combined with one or more of the following data:

• Social security number
• Driver's license or state ID number
• Financial account details along with a security code, access code, or password allowing access to the account
• Medical or health insurance information

List the types of information that should automatically be categorized as "Restricted" with a high impact level, to simplify the data classification process for data owners.

‎8. Revision History

Keep track of all modifications to the data classification policy.

Versioning Example: Version | Published | Author | Description

0.1 | 01/01/2021 | Jane Doe | Original Policy Creation

‎9. Data Classification Policy Template Examples