1. Purpose
Establish a framework for classifying [ORGANIZATION]'s data assets and define handling requirements for each classification level to ensure appropriate protection throughout the data lifecycle.
2. Scope
This policy applies to all data created, collected, stored, processed, transmitted, or disposed of by [ORGANIZATION], regardless of format (electronic, paper, or verbal) or location (on-premises, cloud, or third-party systems).
3. Policy
3.1 Data Classification Levels
[ORGANIZATION] shall classify all data into the following categories: Public (data intended for public release), Internal (data for general internal use), Confidential (data requiring protection due to business sensitivity), and Restricted (data requiring the highest level of protection due to regulatory, legal, or critical business requirements).
Data shall be classified based on the potential impact of unauthorized disclosure, modification, or loss, considering legal, regulatory, contractual, and business requirements.
Data owners shall be responsible for classifying data within their domain and shall review classifications at least [CUSTOMIZE: annually/bi-annually].
When data from multiple classification levels is combined, the combined dataset shall be classified at the highest applicable level.
3.2 Data Handling Requirements
Public data: No special handling requirements. May be freely shared externally.
Internal data: Shall not be shared externally without authorization. Stored on [ORGANIZATION]-managed systems. Basic access controls required.
Confidential data: Access restricted to authorized personnel with a business need. Encrypted in transit and at rest. Access logged and monitored. Sharing requires data owner approval.
Restricted data: Access restricted to specifically authorized individuals. Strong encryption required in transit and at rest. All access logged, monitored, and regularly audited. Multi-factor authentication required. Sharing requires [CUSTOMIZE: CISO/executive] approval with documented justification.
3.3 Data Labeling
Data assets classified as Confidential or Restricted shall be clearly labeled with their classification level in document headers, footers, or metadata.
Electronic files shall include classification metadata where technically feasible.
Email containing Confidential or Restricted data shall include the classification level in the subject line prefix (e.g., [CONFIDENTIAL]).
3.4 Data Flow Documentation
[ORGANIZATION] shall maintain documentation of data flows for Confidential and Restricted data, including: data sources, processing systems, storage locations, transmission paths, and authorized recipients.
Data flow documentation shall be reviewed and updated at least [CUSTOMIZE: annually/quarterly] or when significant changes occur.
Sensitive data flows shall include identification of data protection controls at each stage.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control