Data or document classification: Benefit is company can prioritize and allocate required security resources to protect data or document according to classification.
Companies should have a consistent data or document classification methodology. Not all data are confidential, some are more confidential than others, some are for private use and some are for public consumption. Classifying the data depends on the company's context. However, there are some general tips to classify data:
1. Usefulness, Timeliness, Value, Age, Lifetime (or when it expires) of data
2. Data disclosure/modification damage assesment
3. Who has access/restriction to data
4. National security implications of the data
These are the typical business/private sector classification of the data or document:
Confidential - Highest level. Used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for company if confidential data is disclosed.
Private - Used for data that is of private or personal nature and intended for internal use. A significant negative impact can occur for the company or individuals if private data is disclosed.
Sensitive - Negative impact could occur if the data is disclosed
Public - Disclosure does not have serious negative impact on organization. Also the default classification bucket for data which does not fit the above categories.
Declassification is a process of changing the classification category of data or document: If a data or document no longer warrants the current protection level it is classified into a different level.
Thought #8: Why is declassification very important?