Data classification policy
data-classification-policyDomain: cybersecurityType: policyDescription
Data classification is the foundational schema that the rest of the data-protection program reads off of: every other Control (encryption, retention, access management, transfer rules, breach response thresholds) needs to know what tier of data it is operating on, and the classification policy is the single document that defines the tiers and their handling rules. Most modern programs settle on four to six tiers; the typical split is public, internal, confidential, regulated (with regulated subdividing into PII, PHI, PCI, and any sectoral category that applies). Per-tier handling typically covers encryption requirements (at-rest and in-transit), retention boundaries, access-control posture (need-to-know, role-based, attribute-based), geographic restrictions where data-localization rules apply, and incident-response thresholds. The structurally interesting piece is that the policy has to be operationalizable, not just doctrinally correct: a tier scheme that engineers and product managers cannot apply consistently in practice will produce inconsistent classifications in the data inventory, which propagates into wrong decisions everywhere downstream. Most programs find that the classification policy and the data inventory iterate on each other for the first 12 to 18 months before stabilizing.
Fulfilled by (1)
- In-house build · medium effort
ClearLaunch does not accept payment from vendors. Methodology.
Evidence formats
- classification policy
- data-tier mapping
- tier-handling matrix