How Do You Create a Data Classification Policy?

• Identifying where the sensitive data resides
• Implementing policies and controls to handle it
• Developing secure practices for keeping it safe in the long run
• Determining how and when data should be deleted

Data that should be subject to data classification includes but is not limited to:

• social security numbers
• medical information (PHI)
• financial information
• credit card details
• Corporate intellectual property

Data classification is no easy task. There is no one-size-fits-all data protection plan, and each organization will need to determine its unique strategy for data classification. Below we’ve outlined a data classification template to give you an idea of how to get started with your data classification policy.

1. Understand Your Regulatory Requirements 

Get a clear understanding of your company’s regulatory privacy and mandated requirements. Use these requirements as a framework to define your data classification objectives.

2. Defining the scope of the policy.

The next step is to define which information will fall under the policy, what form that data is in, and where that data is stored.

3. Develop a Formal Data Classification Policy.

Simpler is better when it comes to data classification. Try to keep your policy to a few pages and ideally no more than four categories should be defined. Policies and categorizations should be well-outlined and easily adapted by employees. 

Below are two sample data classification policy examples:

• Public, internal, confidential, restricted
• Restricted, high risk, medium risk, low risk 

Each category should detail the classes and subcategories of data included in it, in addition to instructions for proper data handling. Data Loss Prevention tools and other data-centered digital tools can be used to streamline data classification processes.

4. Set controls

Establish baseline cybersecurity measures and define policy-based controls for each data classification to ensure the appropriate solutions are in place. The more restricted the data category, the more advanced levels of protection will be needed. 

It may be prudent to consider the penalties associated with the loss or breach of a category or subcategory of data. By quantifying the potential financial impact of a data compromise, you will be able to set controls and allocate resources to protect it appropriately.

By understanding where data resides and the organizational value of the data, you can implement appropriate security controls based on associated risks. 

5. Monitor and maintain.

Data classification policies are dynamic. They should be reviewed and updated as necessary to ensure your policy meets the evolving needs of your organization.