Highly sensitive information such as business information, personnel information, and customer nonpublic personally identifiable information (PII) need classification and retention processes in place to help an organization understand what data may be used, its availability, location, what access, and integrity and security levels are required. The unauthorized disclosure or compromise of your information could have an adverse impact on your competitive position, business reputation, or embarrass an individual. To ensure protection that your data is consistent with all applicable laws and regulations, particularly with respect to protected health and financial information, organizations must identify and classify handling of all documents, e-files, and more to safeguard both the integrity and availability of your data.

Three categories of classification may be confidential, sensitive, and public as examples to use in your baseline security control framework to protect your data. Along with classification, data retention under a record management system (RMS) and process will empower more visibility into how physical and electronic files are handled throughout your organization. The records life cycle includes the systematic and efficient control of creation, maintenance, and destruction of the records and business transactions. Retain only the information that is necessary so you can take the most risk-adverse approach to your company’s security.

In the context of information security, data classification is based on its level of sensitivity and the impact to the business: should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications: confidential, sensitive, or public.

Considers whether the data provides your organization a competitive advantage, or unauthorized disclosure would cause a moderate to severe damage to your business or to an individual, loss of customer confidence, regulatory investigation, and/or severe damage to your organization’s public image.

Is generally available to your internal teams but would face consequences if released externally. Information that may be unfavorable to announce may describe an important operation process at your company or any technical or financial aspect of a product line or department. Disclosure of such could cause a severe loss of market share or the ability to be first to market.

May be considered valuable to your company but unauthorized access, disclosure or destruction of that data poses little to no risk to your company or stakeholders. This data is often publicly available through press releases, research publications or public websites. Other examples of public information can be employee’s names, company address, and public financial statements.

Records are informational assets that hold value to your business and stakeholders and are evidence of what your business does. They capture business correspondences, personnel files, contract negotiation, policies, and financial statements. The way your company processes, stores, and preserves critical and non-critical information can directly affect its ability to comply with legal regulations, requests for records, and recover from disasters. To be compliant with data regulations, your organization should not only classify sensitive information but take advantage of configuring automatic labelling smart rules for confidential, sensitive and public information retention and destruction.