ELI5: What are Classification Criteria?
How do you decide which toys are your favorites? Maybe by how much you play with them or how sad you’d be if they broke. Classification criteria are the questions a company asks to decide how important or secret a piece of data is.
Definition
Data classification criteria are the factors an organization uses to determine how sensitive a piece of data is and what classification level it should receive. The primary criteria include: regulatory requirements (does a law mandate special handling?), business value (how critical is this data to operations?), sensitivity (how confidential is the information?), and impact if disclosed (what is the consequence of unauthorized access or exposure?).
Key Details
- Regulatory requirements drive classification for data types like PHI (HIPAA), PII (GDPR), and cardholder data (PCI DSS)
- Business value: trade secrets, intellectual property, and financial models may be highly sensitive even without regulatory requirements
- Sensitivity considers the audience — internal data inappropriate for public disclosure but not legally restricted
- Impact if disclosed: high-impact data (e.g., merger plans, patient records) warrants a higher classification
- Classification criteria should be documented in the data classification policy and applied consistently
Connections
- Parent: data-classification — criteria are the basis for assigning classification levels
- See also: commercial-private-sector-classifications
- See also: government-military-classifications