Data classification is the process of organizing data into categories for its most effective and efficient use.
A well-planned data classification system makes essential data easy to find and retrieve. This can be of particular importance for risk management, legal discovery, and compliance. Written procedures and guidelines for data classification should define what categories and criteria the organization will use to classify data and specify the roles and responsibilities of employees within the organization regarding data stewardship. Once a data-classification scheme has been created, security standards that specify appropriate handling practices for each category and storage standards that define the data's lifecyle requirements should be addressed.
To be effective, a classification scheme should be simple enough that all employees can execute it properly. Here is an example of what a data classification scheme might look like:
Category 4: Highly sensitive corporate and customer data that if disclosed could put the organization at financial or legal risk.
Example: Employee social security numbers, customer credit card numbers
Category 3: Sensitive internal data that if disclosed could negatively affect operations.
Example: Contracts with third-party suppliers, employee reviews
Category 2: Internal data that is not meant for public disclosure.
Example: Sales contest rules, organizational charts
Category 1: Data that may be freely disclosed with the public.
Example: Contact information, price lists