3.2.1. Handling Requirements by Classification Level
💡 First Principle: Handling requirements should be proportional to the classification level — and they should be specific enough that an employee making a real-time decision (can I email this? can I print this? what USB drives are approved?) can act correctly without consulting a lawyer.
Comprehensive handling requirements matrix:
| Requirement | Public | Internal Use | Confidential | Restricted |
|---|---|---|---|---|
| Labeling | Not required | Recommended | Required | Required — specific marking |
| Email transmission | Allowed | Allowed unencrypted internally | Encrypt if external | Encrypt always; DLP monitoring |
| Cloud storage | Allowed in any approved cloud | Approved cloud only | Approved cloud with encryption | On-premises or approved private cloud only |
| Printing | Unrestricted | Standard office printers | Secure print release | Designated secure printers; shredding required |
| Removable media | Allowed | Allowed | Encrypted media only | Prohibited or highly restricted |
| Access control | Public-facing | Role-based access | Need-to-know + logging | Strict need-to-know + MFA + enhanced logging |
| Disposal | Recycle bin | Standard deletion | Secure erasure | Physical destruction or cryptographic erasure |
| Third-party sharing | Allowed | NDA required | DPA + NDA + contract requirements | Prohibited or requires executive approval + contracts |
Labeling and marking — classification labels should appear on:
- Document headers and footers (paper and digital)
- Email subject lines or message body for sensitive emails
- File and folder names in systems that don't support metadata labeling
- Storage media labels
- System login banners for systems containing classified data
Transmission security — the key principle is that data in transit is most vulnerable because it traverses infrastructure you don't control. Minimum requirements:
- Public / Internal: TLS 1.2+ for external transmission
- Confidential: TLS 1.2+ (preferably 1.3); certificate validation required; no self-signed certificates
- Restricted: TLS 1.3 or IPsec; end-to-end encryption preferred; DLP monitoring of outbound channels
⚠️ Exam Trap: Physical handling requirements apply to both physical documents and physical media. A classified document printed on paper and left on a desk violates the handling requirement for that classification — digital-only thinking misses physical exposure. The exam tests physical handling gaps as much as digital ones.
Reflection Question: An employee emails a document containing 500 customer Social Security Numbers to an external accounting firm. The document is classified as "Restricted." Identify at minimum three specific handling requirement violations in this scenario, and what controls would have prevented each.
