graphgrc

Data Classification Standard

Defines how to classify data based on sensitivity and required protection levels.

Scope

All data created, processed, stored, or transmitted by the organization.

Classification Levels

Public

Definition: Information intended for public consumption.

Examples: Marketing materials, published blog posts, public documentation

Requirements:

• No access restrictions required
• Can be shared freely

Internal

Definition: Information for internal business use, not sensitive.

Examples: Project plans, internal wikis, company announcements, source code

Requirements:

• Accessible to employees only
• Do not share outside the organization without approval
• OK to store in SaaS tools (Slack, Google Workspace)

Confidential

Definition: Sensitive business or customer information that could cause harm if disclosed.

Examples: Customer PII (names, emails, addresses), financial data, contracts, security assessments, non-public product roadmaps

Requirements:

• Encrypt at rest and in transit
• Access logged and monitored
• Access based on role/need-to-know
• Cannot be stored on local laptops (use cloud storage only)
• Do not share in Slack/email without encryption
• Annual access reviews required

Restricted

Definition: Highly sensitive data with regulatory requirements or severe impact if disclosed.

Examples: Payment card data (PCI), health information (HIPAA), passwords/secrets, cryptographic keys, social security numbers, authentication tokens

Requirements:

• All Confidential requirements plus:
• Encrypt with KMS customer-managed keys
• MFA required for access
• Quarterly access reviews
• Cannot be logged or transmitted to third-party services
• Must be stored in approved systems only (no general-purpose databases)

Labeling Requirements

• AWS resources: Use DataClassification tag
• S3 buckets: Bucket name or tag indicates classification
• Documentation: Header or filename indicates classification
• Databases: Schema/table naming conventions

References

• Related controls: DAT-01, DAT-02, DAT-03
• Related policies: baseline-security-policy.md

Control Mapping

• DAT-01: Data Classification ^[Four-tier classification: Public, Internal, Confidential, Restricted with specific protection requirements]
• DAT-02: Encryption ^[Confidential and Restricted data must be encrypted at rest and in transit]
• ACC-02: Least Privilege & RBAC ^[Access to Confidential and Restricted data based on role and need-to-know]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.