IG2 IG3

Establish and Maintain a Data Classification Scheme

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Identify

Description

Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Mishandling of Sensitive Data Due to Unknown Classification

Confidentiality

Employees share, store, or transmit highly sensitive data using insecure channels because there is no classification scheme to communicate the data's sensitivity level.

Insufficient Protection for High-Value Data

Confidentiality

Without classification labels, all data receives the same baseline protection level, leaving highly sensitive data with inadequate controls while over-protecting low-value data.

Vulnerabilities (When Safeguard Absent)

No Data Classification Scheme

Without defined classification labels and criteria, employees have no framework for determining how to handle data, leading to inconsistent and often inadequate protection.

Unable to Apply Risk-Based Data Protections

Without classification, security controls cannot be proportionally applied based on data sensitivity, resulting in either excessive cost or insufficient protection.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Classification and Handling Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End>User Devices

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access