Classification is done by identifying common attributes in data and forming groups by those common attributes. The different levels of classification help organizations set controls on wide swaths of data. When a new system is brought online, rather than performing an in-depth analysis on the system, an organization can classify the system and apply the proper level of security controls. Classification levels can be driven by multiple factors:

• Data type: There are different regulations that dictate different data types. Healthcare, PII, financial, educations, or legal data all have regulatory requirements.
• Legal constraints: GDPR is a legal requirement on how to handle data on EU citizens.
• Ownership: In today's connected world, many organizations and entities share data. The owners of this shared data may impose requirements on this data.
• Value/Criticality: different data has different value to different organizations. It is important to take into account how valuable to the organization. Such as critical business operations.

Mapping

Data mapping, in context of security, relates to mapping where data exists on the network and possibly data ownership. Many DLP solutions provide this functionality.

Labeling

Once the data has been classified, labels provide a means to provide the level of classification to everyone within the organization, like putting a stamp "Top Secret" on a document, but you cannot put a physical stamp on digital data. There are many ways to label data:

• Hard-copy materials: data printed on paper that can be labeled with a printed watermark, stamp, or storing the media in a labeled container.
• Physical assets: these include servers, workstations, external hard drives, flash drives, discs, etc that can be labeled with a physical label.
• Digital files: can be labeled with metadata such as a watermark in the document or a footer.
• Complex or shared systems and data sets: components can be labeled where others cannot. Label what can be labeled and rely on training and reference material to provide protection and meet requirements.

Sensitive data

Sensitivity of data is usually driven by regulations. Here is a list of possible sensitive data:

• Personally identifiable information (PII): there are many regulations for PII including GDPR, PIPEDA, and GLBA.
• Protected health information (PHI): defined and governed by HIPAA in the U.S.
• Cardholder data: defined and governed by PCI-DSS on how to handle, process, and store card data.

Here are some considerations from when creating a data classification policy:

• Compliance requirements inherent at various classification levels: as a best practice, individuals who know how to manage sensitive data should be identified in policy to help users seek assistance as needed.
• Data retention and disposal requirements: sensitive data is regulated by different laws and regulation in regards to retention periods. Policies need to be created that align with organizational goals and regulatory requirements, along with proper disposal methods.
• What is considered sensitive or regulated data: policy should clearly specify which data is sensitive or not and, of the sensitive data, what type of data (PII vs PHI).
• Appropriate or approved uses of data: policies should specify on approved use and processing of sensitive data.
• Access control and authorization: classification can be used to determine who has access rights to the data. Logical and physical access to the data is one of the most powerful tools in protecting sensitive data.
• Encryption needs: policies should be enabled that provide clear guidance on how encryption should be used to protect data.