In this room, you'll learn how organizations protect their most valuable asset: data. We'll explore why different types of information need different levels of protection and how to systematically categorize data based on its sensitivity. Whether you're handling customer information, company secrets, or public communications, understanding data classification is essential for anyone working in technology or security.

Data classification isn't just an IT concern, it's a business necessity that affects legal compliance, customer trust, and organizational security. By the end of this room, you'll understand how to identify sensitive data, apply appropriate security measures, and contribute to your organization's data protection efforts.

Learning Objectives

• Understand what data classification is and why it matters
• Identify different classification levels and their requirements
• Apply classification criteria to real-world data examples
• Match appropriate security controls to classification levels
• Implement basic data protection principles in your work

Prerequisites

• Basic understanding of computer systems
• Familiarity with general security concepts
• No prior data classification knowledge required

How to Approach This Room

• Read each task carefully and don't skip the examples
• Pay attention to the real-world scenarios-they show practical application
• The questions test your understanding of key concepts
• Take notes on classification levels and their associated controls

Optional Video

This optional video covers the fundamental concepts of data classification and security. It's helpful but not required to complete the room.

Data classification is the process of organizing data into categories based on its sensitivity, value, and risk to the organization. Think of it like sorting laundry, you wouldn't wash delicate silk shirts with heavy work jeans. Similarly, you don't protect public marketing materials the same way you protect employee social security numbers.

Organizations classify data to ensure appropriate protection levels, comply with regulations, and manage resources efficiently. Without classification, everything gets the same protection, which means either over-protecting unimportant data (wasting resources) or under-protecting critical data (creating security risks).

Why Classification Matters

Consider a hospital patient record. It contains:

• Public information: visiting hours (low sensitivity)
• Internal information: staff schedules (medium sensitivity)
• Confidential information: patient medical history (high sensitivity)

Each type needs different handling. The visiting hours can be posted online, staff schedules stay internal, and medical records require strict confidentiality.

Data Classification Examples

Data Type	Sensitivity Level	Example
Public Information	Low	Company newsletter, marketing brochures
Internal Operations	Medium	Meeting notes, department budgets
Confidential Data	High	Customer databases, employee records
Restricted Data	Very High	Financial reports, trade secrets

Below is a visual demonstration of how different data types flow into classification categories:

Practical Scenario

You work at a retail company. The marketing team creates a new product brochure (public data), the finance team prepares quarterly earnings (restricted data), and HR updates employee contact information (confidential data). Each requires different handling procedures based on its classification level.

Most organizations use four main classification levels, though names may vary. These levels create a clear hierarchy of data sensitivity and protection requirements. Understanding these levels helps ensure consistent handling across the organization.

The Four Core Levels

1. Public - Information that can be freely shared with anyone
2. Internal - Information for employees only, not for public release
3. Confidential - Sensitive information requiring strict access controls
4. Restricted/Secret - Highly sensitive information with severe consequences if exposed

Below is a visual demonstration of the classification hierarchy from least to most sensitive:

Classification Level Comparison

Level	Who Can Access	Protection Required	Examples
Public	Anyone	Basic integrity checks	Website content, press releases
Internal	Employees only	Access controls, basic security	Meeting notes, internal policies
Confidential	Authorized personnel only	Strong access controls, encryption	Customer data, employee records
Restricted	Specifically authorized only	Maximum security, strict monitoring	Financial data, trade secrets, legal documents

Access and Protection Requirements

Each classification level determines:

• Who can access (the data)
• How it's stored (encrypted or not)
• How it's transmitted (secure channels)
• How it's disposed of (shredding, secure deletion)
• What happens if breached (notification requirements)

Classification Scenario

A software company has:

• Public: Product tutorials on their website
• Internal: Team project timelines in SharePoint
• Confidential: Customer support tickets with personal information
• Restricted: Source code for unreleased products

Each requires progressively stronger security measures as you move up the classification levels.

Classifying data isn't a guessing game, it follows a systematic process using clear criteria. This ensures consistency and objectivity in how data is categorized across the organization.

The Classification Workflow

1. Identify the data - What information are we classifying?
2. Apply classification criteria - How sensitive is it?
3. Determine the level - Which classification tier applies?
4. Document the decision - Record why this level was chosen
5. Apply controls - Implement appropriate security measures
6. Review periodically - Reassess as data or context changes

Key Classification Criteria

When deciding how to classify data, consider these factors:

Criteria	Questions to Ask	Impact on Classification
Sensitivity	How sensitive is this information?	Higher sensitivity = higher classification
Business Impact	What happens if this data is exposed?	Greater impact = higher classification
Legal Requirements	Are there laws governing this data?	Legal mandates dictate minimum classification
Value to Organization	How valuable is this data to us?	Higher value = higher classification
Access Needs	Who needs to use this data regularly?	Broader access needs may lower classification

Responsibility for Classification

• Data Owners (business units): Understand the data's purpose and value
• Security Team: Know protection capabilities and risks
• Legal/Compliance: Understand regulatory requirements
• Employees: Follow classification guidelines in daily work

Practical Classification Exercise

You need to classify a new employee training manual. Ask:

1. Sensitivity: Contains general procedures (low)
2. Business Impact: If exposed, minimal competitive harm (low)
3. Legal Requirements: No specific regulations apply (none)
4. Value: Useful for training but not unique (medium)
5. Access Needs: All employees need access (high)

Result: Likely "Internal" classification-most employees need it, but it shouldn't be public.

Once data is classified, you must apply appropriate security controls. Different classification levels require different protection methods. Controls are the specific measures that protect data based on its classification level.

Types of Security Controls

1. Administrative Controls - Policies, procedures, training
2. Technical Controls - Software, encryption, access systems
3. Physical Controls - Locks, cameras, secure facilities

Controls by Classification Level

Classification	Administrative Controls	Technical Controls	Physical Controls
Public	Basic usage policies	Basic integrity checks	General office security
Internal	Employee training, access policies	Login requirements, basic monitoring	Locked offices, badge access
Confidential	Strict access policies, regular audits	Encryption, detailed logging, access controls	Secure storage, limited access areas
Restricted	Need-to-know basis, frequent audits	Strong encryption, multi-factor authentication	Safes, biometric access, monitored areas

Defense in Depth

This concept means using multiple layers of protection. If one control fails, others still provide security. For example, confidential data might have: encryption (technical), access policies (administrative), and locked filing cabinets (physical).

Control Selection Scenario

For customer credit card information (Confidential level):

• Administrative: Access policies, employee training on PCI compliance
• Technical: Encryption in storage and transmission, access logging
• Physical: Secure server room, restricted access area

For internal meeting notes (Internal level):

• Administrative: Employee guidelines
• Technical: Password protection on shared drive
• Physical: General office security

Congratulations! You've completed the Data Classification & Security Fundamentals room. You've learned how organizations systematically categorize their data and apply appropriate security measures based on sensitivity levels.

Key Takeaways

• Data classification organizes information based on sensitivity, value, and risk
• Four common levels exist: Public, Internal, Confidential, and Restricted
• Classification follows a systematic process using clear criteria
• Security controls must match the classification level of the data
• Proper classification balances protection needs with practical access requirements
• Everyone in an organization plays a role in data protection

What You Should Now Understand

You should now be able to:

• Explain why data classification matters to organizations
• Identify different classification levels and their characteristics
• Apply basic classification criteria to real data examples
• Match appropriate security controls to classification levels
• Recognize classification and protection requirements in your work environment

Applying Your Knowledge

Use what you've learned to:

• Identify classification levels of data you work with
• Follow organizational data handling procedures
• Suggest appropriate protection for sensitive information
• Recognize when data might be over- or under-protected
• Participate in classification discussions with more confidence

Next Steps

Continue your cybersecurity learning with rooms on specific security controls, compliance requirements, or data protection regulations. Remember that data classification is foundational-mastering it helps you understand more advanced security topics.