Data classification labels help determine how much security a piece of data requires.The higher the classification, the more security controls required to protect the data.

Data classification requirements can often be driven by legal or contractual requirements. In this blog article we are assuming that your organization does not have any specific legal data classification requirements or a data classification scheme it must comply with. With that being said, here are three classification labels that your small business can leverage.

Definition: For use within the company only. Requires special precautions to ensure data integrity and confidentiality is maintained

Examples: Trade Secrets, healthcare information, information that keeps the company competitive

High Impact of Lost or Compromised: Data loss or compromise could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, or other organizations.

Definition: Requires special precautions to ensure data integrity and confidentiality is maintained.

Examples: Financial information, project details, profit earnings and forecast, and PII.

Moderate Impact of Lost or Compromised: Data loss or compromise could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals’ or other organizations.

Definition:Disclosure is not welcome, but disclosure would not have an adverse impact on the organization or personnel.

Examples: Information on upcoming projects, Number of personnel working on a project.

Low Impact of Lost or Compromised: Data loss or compromise could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals’ or other organizations.

For most small organizations three classification labels are sufficient. The more labels you have the more difficult it becomes to classify your data and apply the necessary security controls for the data.