graphgrc

DAT-01: Data Classification

Objective

Ensure appropriate protection based on data sensitivity.

Description

All data is classified as Public, Internal, Confidential, or Restricted. Handling requirements are defined for each classification level.

Implementation Details

Classification Levels: Public (marketing), Internal (business docs), Confidential (customer PII), Restricted (payment data, PHI).

Labeling: Sensitive data stored in dedicated S3 buckets/RDS databases with classification tags.

Handling Rules: Restricted data requires encryption at rest and in transit. Access logged and monitored. Cannot be stored on endpoints.

Training: Annual data classification training for all employees.

Examples

• Customer PII stored in S3 bucket tagged ‘DataClassification=Confidential’
• No Restricted or Confidential data permitted in Slack or email
• Source code classified as Internal, deployed apps handle Confidential customer data
• Marketing materials classified as Public, customer contracts as Confidential

Audit Evidence

• Data classification policy
• AWS resource tags showing classifications
• Training completion records
• Data inventory with classifications

---

Framework Mapping

SOC 2

• CC6.6 ^[Data classification enables restricting access based on sensitivity (Public, Internal, Confidential, Restricted)]
• CC6.7 ^[Classification drives appropriate controls for transmission, movement, and removal of information]

GDPR

• Article 32 ^[Data classification is an organizational measure enabling appropriate security based on risk and data sensitivity]
• Article 5 ^[Classification supports data minimization and purpose limitation principles]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• Data Classification Standard ^[Four-tier classification: Public, Internal, Confidential, Restricted with specific protection requirements]

Policies:

• Baseline Security Policy ^[Classifies data as Public/Internal/Confidential/Restricted with handling requirements]
• Data Access Policy ^[Four-tier classification (Public/Internal/Confidential/Restricted) with access principles: least privilege, need-to-know, purpose limitation]

Charter:

• Information Security Program Charter ^[Program component: data classification and handling standards]

This site is open source. Improve this page.