Guide: Data Classification

Data Classification Framework: What, Why and How

What Is a Data Classification Framework?

The data classification process consists of content identification, categorization, and protection according to sensitivity or impact levels. Data classification aims to protect data from unauthorized modification, destruction, or disclosure.

A data classification framework is a formal policy typically executed enterprise-wide. It often consists of three to five classification levels, which include three elements—name, description, and real-world examples. 

Ideally, you should use a maximum of five top-level parent labels, each with its own five sub-labels—25 in total. This limitation can help keep your user interface manageable. 

Each data classification level is associated with certain controls. By themselves, levels are simply labels (tags) that indicate the sensitivity level or value of the content. Data classification frameworks control this content by defining controls for each level.

Related content: Read our guide to data classification levels

In this article:

What Information Should a Data Classification Framework Include?

It is common to include the following information as part of a data classification framework:

 

  • Goal—why an organization wants to classify data and the benefits it brings.
  • Scope—the types of data that need to be classified, where the data is stored, and who in the organization will perform the classification and use it.
  • Responsibilities—specifies which individuals are responsible for which tasks in the data classification workflow.
  • Procedures—step-by-step processes for accessing, evaluating, and classifying data, taking into account confidentiality, troubleshooting, and other important issues.
  • Impact level—mapping out data in the organization and its impact on business processes and compliance requirements. This can help understand the criticality of data classification for each dataset.
  • Visual data classification guide—a visual chart showing types of data assets, brief description of these assets, level of impact, and applicable data classification labels.
  • Glossary—a definition of terms used in the data classification framework, which should be clear to everyone in the organization.

Data Classification Matrix

The data classification matrix allows you to evaluate various security grades. You can add information to your security specs, maintaining all data classification information in one place with additional information added in. You can use various templates for your data classification matrix. 

 

Here is an example of a simple template that describes a data classification framework with three security groups ranging from low to high risk:

Type of data
Public
Sensitive
Confidential
Risk level
Low risk
Moderate risk
High risk
Description
Data that carries no significant risk if exposed to the public, or is intended for public use.
Data that is moderately important, usually intended for internal use and not for public use.
Data that requires a high level of protection, for example personal (i.e., customer) information or internal company data that must not be disclosed.
Level of access
Few or no access limitations
Moderate access privileges, mainly for specific individuals on a need-to-know basis
Restricted access, with selective privileges approved on a case-by-case basis and accompanied with NDAs
Impact
The potential impact of this data being published or exposed to malicious actors is minimal, ranging from nonexistent to slightly inconvenient.
The potential impact of this data being published or exposed to malicious actors is moderate, causing non-business-critical damage to the organization.
The potential impact of this data being published or exposed to malicious actors is highly negative, resulting in legal or financial damage to the organization.

Related content: Read our guide to data classification examples (coming soon)

Data Classification Framework Best Practices

Here are several practices that can help you create and refine your data classification framework.

Related content: For additional, general guidelines on improving data classification read our guide to data classification best practices

Implement Data Classification Gradually

Start by prioritizing any feature critical to your organization and then map these features against a specific timeline. When executing your plan, start by completing the first step. Once you ensure the success of step 1, you can move forward while applying any lessons learned. While creating your data classification, your organization can remain exposed to risk. Starting small with a few classification levels and expanding later on can help you manage this risk.

Write Framework Documentation for All Stakeholders

A data classification framework serves a broad audience, including all staff members, legal and compliance teams, and IT teams. Write the framework clearly and concisely to help all stakeholders understand the framework. You should also provide real-world examples when possible. Use clear definitions for data classification levels, avoid jargon, and include a glossary for highly technical terms and acronyms.

Minimal Number of Data Classification Levels

The standard amount of data classification levels per framework is typically between three to five. However, that does not mean you should use the maximum amount. Here are several aspects to consider when determining the number of required classification levels:

 

  • Industry standards and any relevant regulatory obligations—highly regulated industries often require more classification levels than other industries.
  • Operational overhead—complex frameworks typically incur high expenses.
  • Implementation complexities—users are required to implement and uphold the data classification framework users. A complex framework may not allow for proper implementation.
  • User experience and accessibility—when applying manual classification across different device types, consider whether the framework allows for positive user experience and accessibility.

Balance Security Against Convenience

A secure but overly restrictive framework can be difficult to implement. Consider your users and whether they can follow rigid, complex, and time-consuming procedures when applying the framework during normal operations. 

 

If users do not believe in the value of the framework, they will not follow the outlined procedures. This issue can occur at all organizational levels, including executive-level (C-suite) management. You should balance security against convenience and offer user-friendly tools to ensure users of all skill sets adopt and use the framework.

Data Classification with Satori

Satori provides a different approach to data classification. With Satori, data is continuously discovered and classified, instead of performing ad-hoc scans. 

Learn more: