# Data Classification **Definition:** "A *data classification* identifies the value of the data to the organization. Classification labels, the method by which they are assigned, and the required protection associated with the different labels, are identified in a policy." Source: [CISSP_OSG_Chapter_5](../../Standards/CISSP/CISSP_OSG_Chapter_5.md#Defining%20data%20Classifications) Classification criteria should be risk based, for instance on potential damage to the organization, the privacy of individuals, national security, economic interests, or other critical concerns. ## Examples from SANS forum Source: https://sth-community.sans.org/t/y4yt81n Retrieved: 2 september 2024 Public Internal Confidential 1. No risk - Open 2. Some risk - Internal 3. Significant risk - Confidential 4. Unrestricted 5. Restricted-External 6. Restricted-Internal 7. Confidential - Public - Internal - Confidential - Restricted Restricted, Confidential, Internal Use, and Public We have Confidential Information (CI) and Personal Information (PI). Both CI and PI are categorized as Red, Orange and Yellow for sensitivity (from most to least sensitive). Then there's Green Information, which is public. | | | |---|---| |General Use|Emails and documents with this label are not sensitive and can be shared both internally and externally with no risk of harm and without restriction.| |Confidential – Internal Use Only|This label applies to sensitive information that should not leave the organization but is not as critical as those under the "Highly Confidential" classification. Use this for information that if disclosed outside, could still cause harm but is primarily intended for internal stakeholders.| |Confidential – Third Party Authorized|This label applies to sensitive information that can be shared with third parties who have been vetted and authorized under specific conditions. This might include business partners or vendors who need access to certain information to provide services or support.| |Highly Confidential – Internal Use Only|This label applies to the most sensitive information that if disclosed, could result in severe damage to the organization. Access should be limited to a very select group of internal stakeholders, and it should not be shared outside the organization.| |Highly Confidential - Third Party Authorized|This label applies to extremely sensitive information that must sometimes be shared with third parties, under very strict controls and only when absolutely necessary. This could include sharing with legal counsel, auditors, or regulatory bodies who require access to fulfill their obligations to the organization.| Just before I left the Bank of England, we rebuilt our classification scheme - [https://www.bankofengland.co.uk/-/media/boe/files/about/human-resources/iscs-external-guidance.pdf](https://www.bankofengland.co.uk/-/media/boe/files/about/human-resources/iscs-external-guidance.pdf) is the reference. We had used UNCLASSIFIED, BANK CONFIDENTIAL, SECRET and TOP SECRET previously, but moved to OFFICIAL-BLUE, OFFICIAL-GREEN, OFFICIAL-AMBER and OFFICIAL-RED for the non SECRET levels - we wanted labels that were not using simple language as we found that using words like confidential were difficult to track in DLP systems, causing far too many false positives. One of the reasons for the move was that the UK government was looking to change their scheme to a traffic light system also, so we moved to where they were heading. From a user perspective it is complex to figure out a classification. That's why some of our institutions reverse the process and start with the person and what they want to do. Leiden University has a tool picker that is publicly available, to help employees and students pick the correct tool (and indirectly the level of security and privacy that that tool offers). It does not solve the classification labeling problem if you have a single mandatory system in mind, but I can imagine that asking them about what goal they want to achieve makes it easier for employees to see classification as helpful and useful. [https://web.universiteitleiden.nl/assets/toolpicker/?lang=en](https://web.universiteitleiden.nl/assets/toolpicker/?lang=en) ![](../Informatie_classificatie_matrix.xlsx) See also: [Datatags privacy oriented data classification system](Datatags%20privacy%20oriented%20data%20classification%20system.md) [Def_Sec_Handbook_Chapter_2](../../Literature/Defensive%20Security%20Handbook/Def_Sec_Handbook_Chapter_2.md#Information%20classification) [ISO 27002:2022 NL A5.12](../../Standards/ISO27x/OST/27002/NL/a-5.12-Classificeren-van-informatie.md) [Designing an information management scheme](../Designing%20an%20information%20management%20scheme.md) [Key Topics for a policy on handling classified information](../Policy%20examples/Key%20Topics%20for%20a%20policy%20on%20handling%20classified%20information.md) [Traffic Light Protocol (TLP)](Traffic%20Light%20Protocol%20TLP.md)