The goal of any data classification scheme is to enable policies, controls, and management appropriate for handling, compliance, and business risks. The classification can be added to the subject line or banner of emails at the time of send or receive, and documents on save. This allows employees to quickly identify appropriate handling based on the content. Classifications can also be used to filter emails, set retention policies, restrict sharing, etc.
Most Common Types
Here are some of the most common types of data classification schemes:
-
Sensitivity-based - Categories data based on how sensitive or confidential it is. Common levels are public, internal, confidential, and restricted. This scheme focuses on the potential impact if the data is exposed or compromised.
-
Regulation-based - Aligns data classifications with compliance categories called out in regulations like GSC, ISO 27001, and GDPR. Commonly used labels are personal data, healthcare data, financial data, etc.
-
Audience-based - Classifies data in terms of who the intended audience is and handling instructions. Common designations are executive, management, staff, client, vendor, etc.
-
Content-based - Labels data based on what it contains - product designs, source code, trade secrets, PII, test data and so on. It helps identify IP, archives, backups, and data retention periods.
-
Criticality-based - Assesses business impact of data. Labels like mission-critical, business-critical and non-critical data guide backup, security and business continuity efforts.
-
Lifecycle-based - Applies classifications that align with the data lifecycle within the organisation - creation, storage, archival and destruction. Helps manage records and eDiscovery.
The UK Government Security Classification System
The UK Government Security Classification (GSC) system has three levels: OFFICIAL, SECRET, and TOP SECRET, with the optional OFFICIAL-SENSITIVE. OFFICIAL-SENSITIVE is for a limited amount of OFFICIAL information that is particularly sensitive but still comes within OFFICIAL if it is not subject to the threat sources for which SECRET is designed, even if its loss or compromise could have severely damaging consequences. See Government Security Classifications.
Other Data Classification Schemes
Other example data classification schemes:
-
US Government Classification
-
UNCLASSIFIED
-
SENSITIVE BUT UNCLASSIFIED
-
CONFIDENTIAL
-
SECRET
-
TOP SECRET
-
-
ISO 27001
-
PUBLIC
-
INTERNAL
-
CONFIDENTIAL
-
STRICTLY CONFIDENTIAL
-
-
PCI DSS
-
PUBLIC
-
CONFIDENTIAL
-
RESTRICTED
-
HIGHLY CONFIDENTIAL
-
-
GDPR
-
ANONYMISED
-
PSEUDONYMISED
-
ENCRYPTED
-
PLAINTEXT
-
-
NIST 800-53
-
CUI BASIC
-
CUI SPECIFIED
-
CUI ENCRYPTED
-
Nonregulatory Classification Schemes
Organisations can also implement a nonregulatory classification scheme with considerable business upside, such as, allowing employees to quickly triage emails and handle them appropriately.
Example nonregulatory classification scheme:
-
Public - General information that can be freely shared.
-
Internal Use - For communication within the company.
-
Client Confidential - Client information that is sensitive or confidential.
-
Client Contractual - Information related to contracts and negotiations.
-
Company Confidential - Sensitive internal company information.
-
Company Strategic - Emails about high-level plans and strategy.
-
Board Communications - Emails containing information restricted to board members.
-
Legal - Emails dealing with legal matters.
-
Financial - Emails regarding finances, accounting, payments.
-
Personal - Non-work related emails.
Sign up for a demo or free trial of Protective Marking for Outlook and Office today.