Categories Topics
Information (Data) Classification, Labeling and Handling

Data Classification is the process of classifying information into high level categories based on sensitivity and value to the organization. The higher the level of data classification (e.g. Secret), the higher level of security controls and focus should be in place to protect the sensitive information. Data classification policy and procedures should also be in place that will include how sensitive information will be classified, handled, retained and disposed of.

Data Classification levels should first be documented as part of the organization's information security policy. For example, a "Data Classification Policy" would describe each classification category based on sensitivity and business value in accordance with legal, regulatory and contractual requirements. To help simplify and manage the appropriate controls to protect the data, the levels should be small in number (i.e. no more than 4 or 5) and be listed in order of sensitivity.   Examples of data classification levels, in order of least to highest levels of sensitivity and value to the organization, can include: "Public", "Internal", "Confidential", "Secret", etc. 

Organizations should leverage the data classification levels and policy to label and protect the information. Methods of labeling can include asset inventory that documents and describes each asset (e.g. system, application or data repository) to include asset owner, data classification, risk, and so on. Additional mechanisms can include "tagging" or fingerprinting information when saved to a repository where the classification level would be labeled and/or clearly displayed in the document (e.g. "confidential" for sensitive documents).

Data labels can then be better leveraged by Data Loss Prevention tools or processes that may detect unprotected or sensitive information and move to more secure repositories or quarantine the information. Most importantly, procedures should be established for personnel to handle and dispose of sensitive information appropriately. Please see "Clear Desk Policy" and "Document Destruction" topics for more information.

Topic Category
Asset Management
News Articles
Kaiser Permanente Case Underscores Due Diligence Requirementthreatpost.com1/7/2013
University of Michigan Health Systems Admits Patient Data Stolenthreatpost.com12/26/2012
White Papers
Lock It: Protecting Your Office from Info Thievesbusiness.ftc.gov7/1/2007
Disposing of Consumer Report Information? New Rule Tells Howbusiness.ftc.gov6/1/2005
NJ assembly passes bill requiring information stored on copy machines, scanner be deletedwww.courierpostonline.com6/1/2001
Asset Management Policy
Information Classification Policy
Information Labeling, Handling and Disposal Policy
NIST SP 800-88 Revision 1 Guidelines to Media SanitizationNIST12/18/2014
NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)NIST4/1/2010