3.1.1. Data Classification Schemes and Criteria
💡 First Principle: Classification decisions are risk decisions — the classification level assigned to data should reflect the actual harm that would result from unauthorized access, not the data's age, volume, or the effort required to collect it. Sensitivity drives classification; everything else is a consequence.
Government classification model (US):
| Level | Who Can Access | Harm if Disclosed | Example |
|---|---|---|---|
| Top Secret | Need-to-know + TS clearance | Exceptionally grave damage to national security | Intelligence sources and methods, war plans |
| Secret | Need-to-know + Secret clearance | Serious damage to national security | Military deployment schedules |
| Confidential | Need-to-know + Confidential clearance | Damage to national security | Personnel files, some weapons specifications |
| Controlled Unclassified Information (CUI) | Defined by regulation | Varies by CUI category | Law enforcement sensitive, export controlled |
| Unclassified | General access | No national security harm | Public affairs materials |
Common commercial classification model:
| Level | Typical Definition | Handling Implication |
|---|---|---|
| Public | Intended for public release | No special handling; can be freely shared |
| Internal Use | Internal business information, not for external sharing | Do not share outside organization; no special storage |
| Confidential | Sensitive business or customer data | Encrypt in transit and at rest; need-to-know access |
| Restricted / Highly Confidential | Most sensitive data — PII, financial, trade secrets, health records | Strongest controls; strict need-to-know; audit logging; enhanced encryption |
Classification criteria — what determines the level:
- Regulatory requirement — HIPAA-covered PHI must be classified at least Confidential regardless of perceived sensitivity
- Harm from disclosure — Would disclosure embarrass the organization, create liability, harm individuals, or damage national security?
- Harm from modification — Would integrity breach cause financial harm, safety risk, or legal liability?
- Harm from unavailability — Would loss of access to this data halt critical business operations?
- Competitive sensitivity — Would disclosure give competitors material advantage?
Reclassification occurs when the sensitivity changes over time. Merger discussions (Restricted) that become public knowledge (Public) should be reclassified downward. New regulatory requirements may require upward reclassification of previously under-classified data. Data owners are responsible for triggering reclassification reviews; security teams and legal counsel advise.
⚠️ Exam Trap: Data classification level determines minimum security controls — not maximum. An organization may choose to apply stronger controls than classification requires. However, applying weaker controls than classification demands is a compliance failure. Classification sets the floor.
Reflection Question: A healthcare organization classifies patient treatment records as "Confidential" and lab test results as "Internal Use." A security architect argues this is wrong. Who is right, and what regulatory framework determines the correct answer?
