3.7
IG2 IG3

Establish and Maintain a Data Classification Scheme

Control Group: 3. Data Protection
Asset Type: Data
Security Function: Identify

Description

Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1
Document current state and create baseline inventory
2
Define data fields and attributes to track
3
Assign ownership and responsibilities
4
Establish review cadence and update procedures

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Mishandling of Sensitive Data Due to Unknown Classification

Confidentiality

Employees share, store, or transmit highly sensitive data using insecure channels because there is no classification scheme to communicate the data's sensitivity level.

Insufficient Protection for High-Value Data

Confidentiality

Without classification labels, all data receives the same baseline protection level, leaving highly sensitive data with inadequate controls while over-protecting low-value data.

Vulnerabilities (When Safeguard Absent)

No Data Classification Scheme

Without defined classification labels and criteria, employees have no framework for determining how to handle data, leading to inconsistent and often inadequate protection.

Unable to Apply Risk-Based Data Protections

Without classification, security controls cannot be proportionally applied based on data sensitivity, resulting in either excessive cost or insufficient protection.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Current inventory or catalog documentation Maintained continuously, reviewed quarterly
Document Process/procedure documentation for identification activities Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually