Once you have developed a plan of action for classifying your data, the next step is to define the categories of data each file will be sorted into. Each business is unique in the data they store, so this step is subjective to an organization’s needs. That being said, many companies use some version of this four-category framework.
This is the least sensitive category because this data is created with the intention of being widely shared. Completed marketing materials, user agreements, or product information guides all with the purpose of informing the general public fall into this category.
Data that is not intended for public viewing but could only cause minimal reputational damage to the organization goes here. This could include unfinished drafts of public materials, employee notes and non-sensitive messages, or intellectual property the company would rather not have fall into the hands of competitors.
Information in this category carries significant legal, regulatory, or ethical ramifications should it be exposed, but may need to be made available to internal or external parties in a controlled manner for business purposes. Information protected by non-disclosure agreements, personally identifiable information (PII) of employees or customers, internal network and data flow diagrams, or protected data that can be requested by certain parties, like student records, may be placed in this category.
Information must be put in this category if exposing it could include consequences such as criminal or civil penalties, reputational damage, invasion of privacy, identity theft, financial loss including loss of federal funding, or could be used to gain access to more of this category of information. This category includes information all organizations have, such as passwords, encryption keys, financial information, and highly sensitive PII like social security numbers or driver’s license numbers. This is also the tier for specific data regulated by the government like protected health information (PHI), payment card information (PCI), and any classified government data.
It is important to remember that this is just an example and classifying data how it makes sense to your organization is always best way to implement. It is important to keep in mind that the more complex you make your schema, the harder it will be to implement. A three to four category schema is probably the best option unless your organization has a specific need for more than that.