Overview#

Data Classification (Data Taxonomy) is part of Data Management and is the data taxonomy

Data Classification is the classification of data based on its level of sensitivity and the impact to the Organizational Entity or Personal Entity should that data be subject to Disclosure-Alteration-Destruction (DAD) without authorization.

Data Classification is required to:

• implement Access Control
• determine the Releasability of data.

Data Classification SHOULD to consider:

• the Data Security Impact
• Data Provenance and or Data Pedigree.
• Regulatory compliance or Standard Compliance some of which we have identified IDM Related Compliance Items

Data Classification may be determined by Trust Tiers as used within BeyondCorp's Zero Trust architecture

Data Classification requires Data Metadata (Well in Our Humble Opinion)

Data Classification#

Data Classification will vary depending each Organizational Entity's circumstances. However there are various areas that should be considered.

• Risk Assessment
• Data Constraint
• Data Disposal
• Data Protection

Data Classification types#

Data Classification types are wide and varied depending on the context

Some Data Classification types could be:

• Public data
• Sensitive Data
• Personal data
• Employee data
• Customer data
• Student data
• Biometric data
• Cardholder Data
• Personally Identifiable Information
• Protected Health Information
• Patient Data
• Company Confidential

Microsoft Azure Data Classification recommendations [4]#

Microsoft recommends:

• Personal data - Not business related
• Public data - Business Data specifically prepared for public Domain
• General - (default) - Business data not intended for external partners
• Confidential - Business data that could cause an unfortunate event if shared with unauthorized entities.
• Highly Confidential - appears to be Personally Identifiable Information, credential, Health information or Intellectual Property

These "tags" are recommended be used always and used within Microsoft products (ie Word, Excel etc) and they are working with DLP vendors to recognizes and take appropriate actions based on these "default" Data Classification

NIST.SP.800-63 Data Classification#

Making certain attribute values available to a Relying Party can carry National Security implications. In situations where this may be the case, identification of such data values at the time of exchange can be absolutely crucial to ensuring that they are appropriately handled and protected during Data Management.

The NIST recommended values for use in Data Classification are:

• Unclassified - Unclassified data carries no National Security implications. This does not, however, indicate that they are not sensitive, not in need of specific protections, or available publicly.
• Controlled Unclassified Information (CUI)- These attribute values are not sensitive enough to have a negative impact on National Security, but are none the less sensitive enough that they should be protected from improper access or exposure (e.g., FOUO information).
• Confidential - Attribute values, which if subject to Confidentiality, could be expected to cause damage to National Security.
• secret - Attribute values, which if subject to Confidentiality, could be expected to cause serious damage to National Security.
• top-secret - Attribute values, which if subject to Confidentiality could be expected to cause exceptionally grave damage to National Security.

As with all classified information, the determination of the classification level for any data must be made by the appropriate U.S. Federal Government authority and the integrity of this classification must be maintained as the data is transmitted or stored in by IT systems.

Data Classification Examples #

While each Entity Data Classification will be different it may be helpful to see Example Data Classification as shown below.

The Data Classification helps determine what baseline security controls are appropriate for safeguarding that data. All Organization data should be classified into one of three sensitivity levels, or classifications:

Restricted Data Example#

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the Organization or its affiliates. Examples of Restricted data include:

• Personally Identifiable Information
• IDM Related Compliance Items
• Other Governance Risk Management And Compliance conditions

The highest level of security controls should be applied to Restricted data.

Private data Example#

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the Organization or its affiliates. By default, all Organization Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Public data Example#

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates. Examples of Public data include press releases, sales brochures and advertising publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Data Classification of data should be performed by an appropriate Data Steward. Data Stewards are senior-level employees of the Organization who oversee the Data Management of one or more sets of Organization Data.

More Information#

There might be more information for this subject on one of the following:

• Access Control
• Actionable Intelligence
• Assurance Level
• Classification
• Composite data type
• Confidential
• Data
• Data Management
• Data Metadata
• Data Pedigree
• Data Policy
• Data Protection
• Data Provenance
• Data Taxonomy
• Dynamic Access Control
• Employee data
• FVEY
• For Official Use Only
• Google Cloud Security
• NOFORN
• Primitive data type
• Private data
• Reference data type
• Resource Inventory Service
• Secret
• Top-secret
• Trust Elevation
• Unclassified
• Web Blog_blogentry_010117_1
• Web Blog_blogentry_010317_1
• Web Blog_blogentry_011115_1
• Web Blog_blogentry_280717_1
• Zero Trust

---

• [#1] - Data Classification - based on information obtained 2014-07-06
• [#2] - NIST Internal Report 8112 (Draft) Attribute Metadata - based on information obtained 2017-01-01
• [#3] - Classified_information_in_the_United_States - based on information obtained 2017-01-10
• [#4] - Classified_information_in_the_United_States - based on information obtained 2017-02-21