The data classification policy is intended to provide a framework for classifying a company’s data based on its level of sensitivity. Data classification entails analyzing the data an organization retains, determining its importance and value, and then assigning it to a category. Data is classified to help determine baselines for security controls in that will be implemented to protect the data.
Data classification policies apply to all company employees, their vendors and customers who has authorization to access the data. Anyone who has access to, is responsible for classifying, or is responsible for protecting data and is subject to being held accountable to adhering to the data classification policy.
Data classification is the classification of data based on its level of sensitivity and impact to an organization. Impact is determined by how data is disclosed, altered or destroyed without appropriate authorization. How data is classified and the levels of sensitivity associated with it is generally determined by the organization but in some cases the classification is mandated by federal, state and local laws. Data classification levels are typically arranged from the most sensitive data being classified as restricted to unclassified or public data. The classification levels vary depending on the institution.
Data is typically classified according to its type such as medical, financial or personal. Most organizations classify data to comply with their requirements of Confidentiality, Integrity and Availability (CIA). Data classification is the responsibility data stewards and their primary purpose is the protection of the confidentiality, integrity and availability of the data and the data classification reflects to level of impact to the organization if the confidentiality, integrity and availability is compromised.