Data Classification Template

Data Classification Template
blank
blank
blank
1. General Information
blank
blank
blank
blank
ORGANIZATION
[Insert name of organization here]
DATE ADOPTED
[Insert date adopted here]
2. Data Classification Levels
Public
Sensitive
Confidential
Regulated
Definition
Information that is freely and without reservation made available

to the public.
Information that could be subject to release under an open records Information that typically is excepted from the Public Information
requests, but should be controled to protect third parties
Act
Information that is controlled by a state or federal regulation or

other 3rd party agreement
Justification
Access to some information, such as published reports, agency

news, and other public related materials, does not need to be
tracked or monitored. In such circumstances, it is most efficient to
keep the information available for citizen access without requiring
the intervention of state employees.
Some information, even though it is available to the public, may

contain sensitive information. Such data should be vetted/verified
before it is released. By protecting access to the data and requiring
an open records request, the organization ensures that the most
accurate and relevant data is provided to the requestor without
accidentally disclosing confidential data.
State agencies and institutes of higher education collect and

maintain some information that is protected from disclosure either
through a codified exception to the Public Information Act or
through opinions or decisions of the Attorney Generals Public
Information office. Such information may also be subject to breach
notification requirements under Texas law.
Many agencies and institutes of higher education interact with the

federal government or perform services that are regulated by
federal rules and laws. In such instances, the information
maintained by those agencies must comply with federal controls.
Examples
Information that is published to the public website and requires no Data that meets the definition of PII under the Texas Business and
authentication
Commerce Code 521.002(a)(1) and 521.002(a)(2)
Agency publications
Employee Records
Press releases
Gross Salary Information
Public web postings
Data that has been excepted from public release under the Texas
Government Code Ch. 552 or data, whose pubic release, may
result in adverse consequences to the organization
Attorney-Client communications
Computer Vulnerability Reports
Protected draft communications
Net salary information
Data that meets the definition of SPI under the Texas Business and
Commerce Code 521.002(a)(1) and 521.002(a)(2): HIPAA Security
(45 CFR Parts 164), PCI DSS v2.0, FTI, FICA, tax information
Consequence of Public Disclosure
No adverse consequences
Loss of reputation
Loss of trust
Potential criminal or civil penalties
Federal investigation or loss of right to collect revenue
Sample Security Controls
blank
blank
blank
blank
3. Roles and Responsibilities
Public
Sensitive
Confidential
Regulated
Data Custodian
Ensure systems support access controls which enforce data

classification

classification

classification

classification
Data Owner
Identify the classification level of data

Review audit logs

Review audit logs

Review audit logs

Review audit logs
Information Security Officer
Develop and maintain information security policies,

procedures, and guidelines
Provide guidance on data classifications



Legal and/or Privacy Office

(Public Information Officer)

procedures, and guidelines.



Managers
n/a
Ensure users are aware of data classification requirements

Monitor user activities to ensure compliance


Users
n/a
Identify, and Label where appropriate, Data

Properly Dispose of Data


DATA CLASSIFICATION TEMPLATE
PAGE 1 OF 5
4. Data Controls
Public
Sensitive
Confidential
Regulated
Marking
n/a
All sensitive data shall be marked as such

Special handling instructions must be provided
Handling
n/a
n/a
Confidential data shall only be given to those persons with

authorization and a need to know
Confidential data shall only be given to those persons with

authorization and a need to know
Duplication
n/a
Mailing
n/a
Information to be duplicated for business purposes or in

response to an "Open Records" request only
n/a
Employees can duplicate confidential documents with data

owners authorization
n/a
Employees can duplicate confidential documents with data

owners authorization
Confirmation of receipt required
May require double-packaged delivery. Outside of the
package is not marked. Inside paperwork is appropriately
marked.
Disposition
Disposition based on requirements of the records retention Disposition based on requirements of the records retention Disposition based on requirements of the records retention
schedule.
schedule.
schedule.
Physical destruction required (e.g. shredding)
Destruction must be verified by agency personnel
Disposition based on requirements of the records retention

schedule.
Physical destruction required (e.g. shredding)
Destruction must be verified by agency personnel
Storage of hardcopy
Store a "Master copy" in compliance with records retention Store a "Master copy" in compliance with records retention
schedule.
schedule.
Documents should be locked up when not in use (e.g., in
locked desk, cabinet or office)
Store a "Master copy" in compliance with records retention

schedule.
Store a "Master copy" in compliance with records retention

schedule.
Storage on fixed media
n/a
Access is password controlled

Encryption required

Encryption required
Storage on removable media
n/a
Encryption recommended
Encryption required.
Encryption required.
5. Access Controls
Public
Sensitive
Confidential
Regulated
Granting Access Rights
No Restrictions
Data owner only
Data owner only
Data owner only
Read Access
Information owner defines permissions by user/role
Update Access

Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other
unauthorized activities

Access highly restricted or controlled

Access highly restricted or controlled
Delete Access


6. Transimssion Controls
Public
Sensitive
Confidential
Regulated
Print Controls
No restrictions
Information owner define permissions
Output routed to pre-defined printer and monitored or secure Output routed to pre-defined printer and monitored or secure
printing enabled
printing enabled
Transmission by public network
No restrictions
Encryption Recommended
Encryption Required
Encryption Required
Release to Third Paries
No restrictions
No restrictions
Owner Approval and Non-Disclosure Agreement
Owner Approval and Non-Disclosure Agreement

Each page if loose sheets
Front and back covers, and title page if bound

Each page if loose sheets
Front and back covers, and title page if bound
PAGE 2 OF 5
7. Audit Controls
Public
Sensitive
Confidential
Regulated
Tracking Process by Log
n/a
n/a
Recipients, Copies Made, Locations, Addresses, Those Who

Viewed, and Destruction
Recipients, Copies Made, Locations, Addresses, Those Who

Viewed, and Destruction
Auditing acess activity
n/a
IT system should be configured to log all violation attempts.

Audit trails should be maintained to provide for accountability
of modifications to information resources and for all changes
to automated security/access rules


Retention criteria for Access

Reports
Logs must be retained in accordance with records retention

guidelines

guidelines

guidelines

guidelines
Retention criteria for Access

Reports
Classification review cycle
timeframe
n/a
The owner determines retention of violation logs
Review & affirm date must be set but flexible, i.e., 1-2 years
Review & affirm date must be set but flexible, i.e., 1-2 years
Info Owner must review & affirm all info classification and
user rights, not to exceed 1 year
Info Owner must review & affirm all info classification and
user rights, not to exceed 1 year
8. Notification Requirements
Public
Sensitive
Confidential
Regulated
Required Disclosure to Data Subject No disclosure of public information
No disclosure of public information
Required Disclosure to Public
Required Disclosure to Federal

Partners
Required Disclosure to State

Partners
Required Disclosure to Third Parties No disclosure of public information
PAGE 3 OF 5
Term
Definition
Reference

Data Classification Template

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Read this document in other languages

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Classification Template

Uploaded by

Copyright:

Available Formats

Data Classification Template

[Insert name of organization here]

[Insert date adopted here]

2. Data Classification Levels

Information that is freely and without reservation made available

Information that is controlled by a state or federal regulation or

Access to some information, such as published reports, agency

Some information, even though it is available to the public, may

State agencies and institutes of higher education collect and

Many agencies and institutes of higher education interact with the

Consequence of Public Disclosure

Potential criminal or civil penalties

Federal investigation or loss of right to collect revenue

Sample Security Controls

3. Roles and Responsibilities

Ensure systems support access controls which enforce data

Ensure systems support access controls which enforce data

Ensure systems support access controls which enforce data

Ensure systems support access controls which enforce data

Identify the classification level of data

Identify the classification level of data

Identify the classification level of data

Identify the classification level of data

Information Security Officer

Develop and maintain information security policies,

Develop and maintain information security policies,

Develop and maintain information security policies,

Develop and maintain information security policies,

Legal and/or Privacy Office

Develop and maintain information security policies,

Develop and maintain information security policies,

Develop and maintain information security policies,

Develop and maintain information security policies,

Ensure users are aware of data classification requirements

Ensure users are aware of data classification requirements

Ensure users are aware of data classification requirements

Identify, and Label where appropriate, Data

Identify, and Label where appropriate, Data

Identify, and Label where appropriate, Data

DATA CLASSIFICATION TEMPLATE

All sensitive data shall be marked as such

Confidential data shall only be given to those persons with

Confidential data shall only be given to those persons with

Information to be duplicated for business purposes or in

Employees can duplicate confidential documents with data

Employees can duplicate confidential documents with data

Disposition based on requirements of the records retention

Store a "Master copy" in compliance with records retention

Store a "Master copy" in compliance with records retention

Storage on fixed media

Access is password controlled

Access is password controlled

Access is password controlled

Storage on removable media

Granting Access Rights

Data owner only

Data owner only

Data owner only

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Information owner defines permissions by user/role