Data Classification Policy

Classification Framework

Tier 1 - Public: Definition: information intended for public disclosure, no confidentiality requirement, integrity and availability important but no privacy concerns. Examples: marketing materials (brochures, case studies with client permission, whitepapers, website content), press releases (company announcements, media statements, public filings), job postings (careers page, LinkedIn job ads, recruitment materials), open-source code (GitHub public repositories, MIT/Apache licensed code, community contributions), public financial information (if publicly traded, annual reports, investor presentations). Business impact if disclosed: none to minimal (information already public or intended for public release, no competitive harm, no privacy violation, reputational impact only if inaccurate). Handling requirements: storage (no special requirements, standard file servers acceptable, public website, cloud storage), transmission (no encryption required, email without encryption acceptable, public internet), sharing (freely shareable, no restrictions, attribution preferred, verify accuracy before publishing), disposal (no special disposal, standard deletion, recycle bin acceptable). Access controls: authentication (not required, publicly accessible, no login needed), authorization (none, anyone can access), audit logging (minimal, website analytics, no detailed logs needed). Labeling: electronic (optional, header "Public" if labeled, no requirement to label), physical (no marking required, optional header/footer). Lifecycle: creation (author determines public classification, manager approval before publication recommended, verify accuracy), review (annual review of public website content, outdated information removed, accuracy maintained), disposal (standard deletion, no secure disposal needed). Examples at Code Ninety: website codeninety.com (services pages, about us, blog posts, contact information), marketing collateral (PDF brochures, email templates for prospects, LinkedIn company page), job descriptions (posted on jobs page, LinkedIn, Indeed, recruitment agencies), open-source projects (GitHub public repos, npm packages, Docker images public), press releases (company milestones, certifications, awards, media coverage). Public data volume: ~500GB (website assets, marketing materials, open-source code, growing).

Tier 2 - Internal: Definition: information for internal business use, not intended for public disclosure but low sensitivity, limited harm if inadvertently disclosed externally. Examples: internal policies (HR policies, IT policies, travel policy, expense policy), employee directory (names, email, phone, department, office location - no personal details), organizational charts (reporting structure, department organization, manager assignments), meeting notes (general business meetings, no strategic/confidential discussion, team updates), training materials (internal training presentations, onboarding materials, process documentation). Business impact if disclosed: low (minor embarrassment, no significant competitive harm, no privacy violation for individuals, operational inconvenience). Handling requirements: storage (company file servers, Google Drive with authentication, SharePoint, no public folders), transmission (email within organization freely, external requires business email not personal, basic TLS encryption via email provider), sharing (employees freely, contractors with NDA, external requires manager approval, no public posting), disposal (standard deletion, recycle bin, shred paper copies). Access controls: authentication (login required, employee credentials, SSO Google Workspace, contractors with guest account), authorization (all employees can access unless restricted to department, no public access, guest access with approval), audit logging (basic access logs, 90-day retention, no detailed monitoring). Labeling: electronic (header "Internal Use Only" in footer, optional but recommended for clarity), physical (header/footer "Internal" or "Company Confidential" - less common as moving to paperless). Lifecycle: creation (author classifies as Internal, no special approval, store in appropriate location), review (departmental review annually, archive outdated, maintain accuracy), disposal (delete when no longer needed, no secure disposal required). Examples at Code Ninety: policies (HR handbook, remote work policy, expense reimbursement, IT acceptable use policy - 85 policies documented), employee directory (BambooHR, Google Workspace directory, Slack member list, 120 employees), org charts (department structures, reporting lines, updated quarterly), meeting notes (Monday standup notes, sprint retrospectives, department meetings), training materials (developer onboarding, security awareness, tool tutorials, process guides). Internal data volume: ~2TB (documents, presentations, spreadsheets, emails, collaboration files). Common violations: emailing Internal document to personal email (policy violation, data exfiltration risk, DLP alert, counseling), posting Internal org chart on LinkedIn (inadvertent disclosure, removed immediately, minor incident), sharing Internal policy with external consultant without NDA (unauthorized disclosure, require NDA retrospectively, no harm).

Tier 3 - Confidential: Definition: sensitive business information that could cause significant harm if disclosed, competitive disadvantage, financial impact, client relationship damage. Examples: client data (client contracts, project details, contact information, business requirements, communications), source code (proprietary code, client projects, internal tools, algorithms, architecture), financial information (P&L statements, budgets, pricing models, salary bands, revenue projections), strategic plans (business strategy, product roadmap, M&A plans, partnership negotiations), employee personal data (salary, performance reviews, health information, background checks, disciplinary records). Business impact if disclosed: significant (competitive harm, financial loss, breach of client confidentiality, regulatory violation GDPR, reputational damage, loss of trust). Handling requirements: storage (encrypted file servers, encrypted databases, AWS S3 with encryption, access-controlled folders with logging), transmission (TLS encryption email mandatory, VPN for file transfer, encrypted attachments for Confidential, no personal email), sharing (need-to-know within organization, external requires NDA + client approval, secure file transfer, no USB drives), disposal (secure deletion multi-pass, shred physical documents, certificate of destruction for media, purge from backups after retention). Access controls: authentication (MFA mandatory, strong passwords 12+ characters, no shared accounts, session timeout 30 minutes), authorization (role-based access control RBAC, least privilege, manager approval for access, quarterly access reviews), audit logging (comprehensive logging, who accessed what when, SIEM monitoring, 7-year retention, alerts on unusual access). Labeling: electronic (header/footer "CONFIDENTIAL", watermark on documents, metadata classification tag, DLP detection), physical (header/footer red "CONFIDENTIAL", stamp on printouts, locked cabinet storage). Lifecycle: creation (author classifies as Confidential, manager approval may be required for some types, encryption applied automatically based on classification), storage (encrypted at rest, access-controlled, backed up encrypted, geo-redundancy), transmission (encrypted in transit, audit logged, DLP monitoring, authorized recipients only), review (annual data inventory review, re-classify if needed, retention schedule enforcement), disposal (secure deletion, shredding, backup purging, verification). Examples at Code Ninety: client contracts (MSAs, SOWs, NDAs, 180 active clients), source code (all proprietary repositories, client project code, internal tools, 500+ repos), financial data (annual budgets PKR 450M, P&L monthly, pricing models, salary database), strategic plans (3-year strategy, expansion plans, acquisition targets, partnership negotiations), employee data (salary records, performance reviews, disciplinary files, benefits enrollment). Confidential data volume: ~15TB (databases, code repositories, financial systems, file servers). Encryption: 100% Confidential data encrypted at rest (AES-256), 100% encrypted in transit (TLS 1.3), key management via AWS KMS with annual rotation.

Tier 4 - Restricted: Definition: most sensitive data, extreme harm if disclosed, legal/regulatory consequences, substantial financial loss, individual safety risk. Examples: PII (national ID numbers, passport numbers, biometric data, health records, financial account numbers), payment card data (credit card numbers, CVV, card holder data, PCI DSS scope), credentials (passwords, API keys, private keys, certificates, database credentials), trade secrets (proprietary algorithms, patent applications, research data, competitive intelligence), legal/compliance (attorney-client privileged, regulatory investigation materials, litigation documents, whistleblower reports). Business impact if disclosed: severe (regulatory fines GDPR up to 4% revenue, PCI DSS fines + card brand penalties, legal liability, criminal prosecution possible, individual harm identity theft, severe reputational damage, loss of certifications). Handling requirements: storage (end-to-end encryption, encrypted database with field-level encryption for PII, hardware security module HSM for keys, access extremely limited, privileged access management PAM), transmission (end-to-end encryption, no email even encrypted - use secure portal, VPN mandatory, encrypted messaging Signal/WhatsApp for sensitive comms, no public networks), sharing (minimal sharing, executive approval required, legal review for external sharing, data sharing agreements, transfer impact assessment if cross-border), disposal (cryptographic erasure if encrypted, physical destruction of media - shredding/degaussing, witnessed destruction, certificate of destruction notarized, purge from all backups). Access controls: authentication (MFA mandatory, biometric preferred for highest sensitivity, no SMS-based MFA, certificate-based auth, frequent re-authentication), authorization (need-to-know strictly enforced, named individuals only, no group access, executive approval required, temporary access time-limited, revoked immediately when not needed), audit logging (forensic-level logging, every access recorded, real-time monitoring, SIEM alerts on any access, 7-year retention minimum, immutable logs, SOC review). Labeling: electronic (header/footer "RESTRICTED" in red, watermark "RESTRICTED - DO NOT DISTRIBUTE", DLP tags, rights management prevent copy/print), physical (red header/footer "RESTRICTED", sealed envelope, locked safe storage, no printouts unless absolutely necessary, log sheet for access). Lifecycle: creation (classification requires data owner approval, legal review if necessary, encryption applied immediately, access list documented), storage (encrypted end-to-end, minimal copies, centralized vault, no local copies, no cloud unless specifically approved), transmission (encrypted channels only, documented approvals, transfer logged, recipient verified), review (quarterly access review, annual data inventory, re-classify if downgrade appropriate, enforce retention), disposal (witnessed secure destruction, cryptographic erasure, backup purging verified, certificate of destruction, compliance team notification). Examples at Code Ninety: PII (employee passport copies for visas, national ID for payroll, health insurance enrollment, 120 employees + dependents), payment data (not stored - tokenization via Stripe, occasional client provided card for testing - deleted immediately after test), credentials (AWS root keys in HSM, database master passwords, API keys for production, private SSH keys, certificate private keys), trade secrets (proprietary AI algorithms for client projects - limited, patent applications in process, competitive analysis reports), legal (attorney-client privileged emails, regulatory audit materials, litigation hold data, HR investigation records). Restricted data volume: ~500GB (mostly employee PII, credentials in vaults, minimal due to tokenization/externalization). Special controls: data masking (production data masked in dev/test, anonymization for analytics, pseudonymization for backups), tokenization (payment data, national IDs in databases replaced with tokens, detokenization only when needed with approval), geographic restrictions (some Restricted data Pakistan-only per law, no transfer outside Pakistan, on-premise storage, air-gapped backups).

Data Handling Procedures

Handling by classification level - Summary table: Encryption at rest: Public (not required), Internal (not required), Confidential (mandatory AES-256), Restricted (mandatory AES-256 + field-level). Encryption in transit: Public (not required), Internal (opportunistic TLS), Confidential (mandatory TLS 1.3), Restricted (mandatory E2EE). Access control: Public (none), Internal (authentication), Confidential (RBAC + MFA), Restricted (named individuals + PAM + MFA). Sharing external: Public (unrestricted), Internal (manager approval), Confidential (NDA + client approval), Restricted (executive + legal approval). Audit logging: Public (none), Internal (basic 90 days), Confidential (comprehensive 7 years), Restricted (forensic 7+ years). DLP monitoring: Public (none), Internal (none), Confidential (monitor), Restricted (block unauthorized). Physical disposal: Public (standard deletion), Internal (standard deletion), Confidential (shred), Restricted (witnessed destruction + certificate). Retention: Public (indefinite or until outdated), Internal (7 years typical), Confidential (7 years or legal requirement), Restricted (minimal retention then secure destruction).

Email handling procedures: Public: send freely, no restrictions, standard email, verify recipient address to avoid accidental send to wrong person. Internal: send within organization, external requires business justification and manager approval if bulk/sensitive, use company email not personal, BCC for large recipient lists (privacy). Confidential: encrypt email if external using TLS (verify recipient domain supports), subject line should not contain Confidential details (metadata readable), large files via secure file transfer not attachment, archive in compliance with retention policy, forward only to authorized recipients. Restricted: do not email Restricted data even with encryption, use secure file transfer portal with access controls and audit, if absolutely necessary use S/MIME or PGP encryption end-to-end, verbal/in-person preferred for highest sensitivity, document all transfers in audit log. Email DLP: outbound scanning for keywords/patterns (credit cards, national IDs, "confidential", "restricted"), quarantine suspicious emails for review, alert sender and security team, classify email based on content, enforce encryption if Confidential+ detected. Email retention: Public/Internal (2 years active mailbox, then archive 7 years, legal hold exemption), Confidential (7 years), Restricted (minimal retention then secure deletion per policy). Email archiving: all email archived via Google Vault, searchable for eDiscovery, litigation hold capable, export for investigations, compliance reporting.

File sharing and collaboration: Public: share via public links, website download, no access controls, verify accuracy before publishing. Internal: Google Drive with company authentication, share with specific people or company-wide, no public links, download allowed, version history 30 days. Confidential: Google Drive with access controls, share with specific named individuals, no "anyone with link", expiration dates on shares, download restricted for highly sensitive, watermarking on view, audit access logs monthly, revoke access when no longer needed. Restricted: secure file transfer portal not Google Drive, one-time access links with expiration, view-only no download for extremely sensitive, watermark all pages, notify on access, comprehensive audit trail, encrypted storage and transit, no public clouds unless specifically approved. Collaboration tools: Slack (Public/Internal discussions, Confidential in private channels only, no Restricted data, export disabled for Confidential channels, retention 7 years), Google Workspace (Docs/Sheets/Slides for Internal/Confidential, granular sharing, version history, access reviews quarterly, no Restricted), Jira (project tracking Confidential, client project data, access per project, no Restricted PII), GitHub (code Internal/Confidential, private repos, branch protection, no Restricted credentials in code, secret scanning enabled). Contractor access: NDAs required for Confidential access, background checks for Restricted, limited access to need-to-know, separate contractor accounts, access revoked immediately upon contract end, no long-term access, quarterly review of contractor access.

Storage and backup procedures: On-premise storage (Islamabad data center): Public/Internal (standard NAS, RAID 6, no encryption, 100TB capacity), Confidential (encrypted NAS, dedicated VLAN, access-controlled, 50TB capacity), Restricted (air-gapped server, encrypted, physical access logged, 10TB capacity, used for Pakistan-only data per regulation). Cloud storage AWS: Public (S3 standard, no encryption, public read if intended, lifecycle to Glacier), Internal (S3 with authentication, no public access, standard class), Confidential (S3 with encryption at rest, bucket policies, versioning, cross-region replication, lifecycle management), Restricted (S3 with KMS encryption + field-level encryption, no public access, Object Lock immutability, minimal cross-region - only EU to EU if GDPR). Backup procedures: frequency (Confidential/Restricted: hourly incremental, daily full, Internal: daily), encryption (all backups encrypted regardless of classification - defense in depth), retention (Public/Internal 30 days, Confidential 90 days, Restricted 90 days then secure deletion unless legal hold), testing (quarterly restore tests, verify integrity, meets RTO/RPO), geo-redundancy (Confidential/Restricted cross-region to Bahrain, Internal same-region). Backup purging: automated lifecycle policies, when retention expires delete from all backup tiers, Restricted requires verification of deletion + certificate, crypto-shredding (delete encryption keys, renders encrypted backup unreadable, faster than overwrite). Database backups: production databases (Confidential/Restricted data, encrypted snapshots, point-in-time recovery, 7-day retention for operational, 90-day for compliance), development databases (masked production data, no Restricted PII, anonymized analytics, refresh monthly from production with masking). Media disposal: hard drives (degaussing + physical shredding for Confidential+, certificate of destruction for Restricted, standard disposal for Internal), tapes (physical shredding, witnessed for Restricted, vendor provides certificate), SSDs (crypto-erase if encrypted, physical destruction for Restricted, challenge to sanitize SSDs - prefer destruction), cloud (data deletion via API, verify via hash, crypto-shredding for Restricted, documented in audit log).

Data Loss Prevention (DLP)

DLP implementation: Coverage: email outbound (Google Workspace DLP, scans all outbound email, quarantine/alert/block based on policy), file upload (web proxies, cloud storage uploads, block to unauthorized cloud, monitor to approved), endpoint (USB devices disabled by policy, copy to removable media blocked, screenshot monitoring for highly sensitive), network (firewall DLP, inspect outbound traffic, block file transfers to unauthorized destinations). Detection methods: content inspection (regular expressions for patterns - credit cards, national IDs, passport numbers, keywords - "confidential", "restricted", "internal use only"), contextual analysis (file classification metadata, who sending to whom, unusual volume/time, geographic destination), fingerprinting (document fingerprinting, hash matching for known sensitive documents, prevents sharing exact copies), optical character recognition (OCR for images/PDFs, detect Confidential data in screenshots, embedded text). DLP policies: credit card numbers (detect PAN 16-digit patterns, Luhn algorithm validation, block if not masked, exception for finance team with justification), national IDs (Pakistan CNIC 13-digit pattern, India Aadhaar 12-digit, block outbound, allow internal HR with encryption), source code (detect code patterns, file extensions .js/.py/.java, block to personal email/cloud, allow to GitHub enterprise), financial data (keywords budget/revenue/salary, Excel files to external, require encryption or manager approval), client data (client names in subject line, contracts, proposals, DLP alert to verify authorized). Actions: alert (notify sender, security team, document in log, no blocking - for low sensitivity), quarantine (hold for review, security analyst approves/rejects within 4 hours, user notified pending approval), block (prevent send, user sees error, must use approved method, log violation), encrypt (automatically encrypt email if Confidential content detected, transparent to user, enforce TLS). Exceptions: pre-approved (finance sends financial data regularly, whitelist specific addresses with approval, temporary exception for project, documented justification), override (user can request override, manager approval required, justification documented, audit trail), false positives (tune rules, add exceptions, user feedback mechanism, continuous improvement).

DLP monitoring and response: Monitoring: real-time alerts (P1 Restricted data outbound, P2 Confidential to unauthorized, P3 Internal to personal email, P4 informational), dashboard (daily violations by type/user/department, trends, top violators, policy effectiveness), reports (weekly summary to management, monthly to Security Steering Committee, quarterly compliance reporting, annual security report). Incident response: alert received (security analyst reviews within SLA, gather context, determine intent - malicious vs accidental), investigation (user interview if needed, check historical access, correlate with other logs, intent determination - data theft vs mistake), action (malicious: suspend account, escalate to incident response, preserve evidence, notify management; accidental: user training, reminder of policy, document counseling, no punitive action first offense), remediation (recall email if possible, notify recipient to delete, damage assessment, client notification if client data), documentation (DLP incident log, root cause, actions taken, policy updates, user training needs). User education: onboarding (data classification training, DLP policy, how to share Confidential data properly, consequences of violations), annual training (refresher, new examples, policy updates, quiz), just-in-time (DLP alert triggers micro-training, explain why blocked, proper procedure, prevent recurrence), security awareness (monthly newsletter, real anonymized examples, gamification - lowest violation rate recognized). Policy tuning: false positive rate (target <5%, currently 8%, tune rules quarterly, user feedback incorporated), false negative rate (periodic testing, send test data, verify detection, red team exercises), coverage (ensure all DLP use cases covered, new data types, business process changes, continuous gap analysis), performance (email delay <2 seconds, endpoint performance impact <5% CPU, network throughput acceptable). Metrics 2024: DLP alerts (2,847 total, 125 P1/P2 blocked, 2,722 P3/P4 monitored), violations (42 policy violations confirmed, 38 accidental/training, 4 policy changes needed, 0 malicious), false positives (8% rate, finance team main source - tuned rules Q3, improved to 6%), prevented breaches (estimated 8 potential breaches prevented by DLP blocking, no confirmed data exfiltration 2024).

Endpoint and mobile DLP: Endpoint DLP: USB devices (disabled by group policy, whitelist specific devices IT-approved, log all attempts, alert on repeated attempts), clipboard (monitor copy/paste of Confidential data, alert if paste to unauthorized application, block paste to personal email/chat), screen capture (monitor screenshot attempts of Restricted data, watermark all pages of highly sensitive, log screenshot events, investigate unusual volume), local storage (monitor save to desktop/documents, alert if Confidential saved locally vs network drive, scheduled scans for misclassified data), printing (print logging, watermark printed Confidential pages, require badge swipe for Confidential prints - follow-me printing, log who printed what when). Mobile DLP: MDM policies (containerization, corporate apps in managed container, prevent copy from corporate to personal apps, screenshot disabled in corporate apps, no backup to iCloud/Google for corporate data), file access (corporate files in managed container only, encryption enforced, remote wipe capability, jailbreak/root detection prevents access), email (corporate email in managed container, DLP applies to mobile email, prevent forward to personal accounts, attachment encryption). Application controls: approved apps (whitelist for Confidential data - Google Workspace, Slack, Jira, unauthorized apps blocked - Dropbox personal, WhatsApp for business data), cloud access security broker CASB (monitor cloud app usage, detect shadow IT, block unauthorized cloud storage, enforce policies on sanctioned apps), web filtering (block file upload to unauthorized sites, webmail block for Confidential, social media restrictions during work, malicious site blocking). Insider threat indicators: unusual access (access data outside normal scope, unusual hours, geographic anomaly, large volume download), privilege escalation (attempts to gain unauthorized access, repeated access denials, privilege creep), data hoarding (copy excessive data, create local copies, accumulate data, no business need), exfiltration preparation (compress data, encrypt files, rename to evade DLP, access before resignation). UEBA integration: baseline normal (establish per-user baselines, typical access patterns, peer group comparison, work hours), anomaly detection (deviation from baseline, risk scoring, weighted factors, threshold alerts), automated response (high-risk score triggers alert, account review, enhanced monitoring, suspend if extreme), investigation (correlate UEBA alerts with other data, context, interview user if needed, document findings).

Labeling & Compliance Monitoring

Data labeling requirements: Electronic labeling: documents (header/footer with classification level, Microsoft Office/Google Docs footer automation, color coding - red for Confidential/Restricted, watermark for highly sensitive), emails (subject line prefix [CONFIDENTIAL] optional but encouraged, footer classification statement, encryption applied based on content), files (metadata classification tag, file properties, automated classification tools, integration with DLP for detection), databases (table/column metadata, data dictionary documentation, field-level classification for mixed sensitivity tables). Physical labeling: paper documents (header/footer on every page, stamp with classification level and date, colored paper for Confidential - yellow, Restricted - red), media (label on CD/DVD/USB, classification level, owner, creation date, destruction date), hardware (asset tag, if contains Restricted data mark on device, encryption status indicated). Automated classification: Microsoft Azure Information Protection (Office 365 integration, recommended classification based on content, user confirms, metadata applied, DLP enforcement), Google Cloud DLP API (scan data at rest, classify based on patterns, tag with metadata, remediation recommendations), machine learning (train models on labeled data, auto-classify new data, confidence score, human review for low confidence), user-driven (author classifies at creation, manager reviews if Confidential+, annual re-classification review). Visual indicators: color coding (Public/Internal: no special color, Confidential: yellow, Restricted: red, consistent across systems), watermarks (view-only documents watermarked with "CONFIDENTIAL - DO NOT DISTRIBUTE", dynamic watermark with viewer email, discourage screenshots), banners (top of page banner in applications accessing Confidential/Restricted, reminder of classification, awareness). Label persistence: copy/paste (classification follows data, copy Confidential text to new document applies classification, prevent accidental downgrade), email forward (classification preserved in forward, re-apply footer, DLP monitors), file download (downloaded file retains metadata, rights management enforced offline, expiration policies).

Compliance monitoring: Data inventory: annual data inventory (catalog all data assets, classification levels, owners, locations, volume, update annually), data flow mapping (document data flows, source to destination, transformations, third parties, data lineage), system inventory (systems holding Confidential/Restricted, risk assessment, control verification, penetration testing priority). Access reviews: quarterly reviews (Confidential data access reviewed quarterly, managers certify team access appropriate, revoke unnecessary, document approval), annual comprehensive (all access across systems, identify dormant accounts, privilege creep, orphaned accounts cleanup), role-based (access tied to role, role change triggers access review, transfer/promotion/separation, automated workflow). Audit and inspection: internal audits (quarterly spot checks, data handling compliance, random sample of users/departments, interview and observation, findings and remediation), ISO 27001 audits (annual surveillance, data classification controls A.8.2, evidence review, non-conformities tracked), SOC 2 audits (12-month observation, CC6.6 logical and physical access, data classification policy, control testing, zero exceptions 2024). Automated compliance: configuration management (infrastructure as code, enforce encryption policies, drift detection, auto-remediation), continuous monitoring (SIEM rules for policy violations, alert on unencrypted Confidential, audit Restricted access, quarterly compliance dashboard), compliance scoring (automated scoring of compliance, percentage of data properly classified, percentage encrypted, trend over time, target 95%+). Metrics 2024: data inventory (18.5TB total, 500GB Public, 2TB Internal, 15TB Confidential, 500GB Restricted, 97% classified - 3% unclassified legacy data migration in progress), encryption compliance (100% Confidential encrypted at rest, 100% in transit TLS 1.3, 100% Restricted E2EE), access reviews (98% completed on time, 2% delayed with extensions, 847 access revocations - no longer needed), audit findings (ISO 27001: 1 minor observation - labeling inconsistency legacy documents, corrected; SOC 2: zero exceptions). Violations: policy violations (52 violations 2024, 42 DLP, 8 access control, 2 labeling), consequences (first offense: counseling and training, second: written warning, third: suspension/termination depending on severity, malicious: immediate termination + legal action), anonymized examples (employee emailed Confidential contract to personal email - DLP caught, training provided, no recurrence; contractor accessed Restricted PII without approval - access revoked, contract terminated, no data exfiltration confirmed).

Reclassification procedures: Classification review triggers: annual review (all Confidential+ data reviewed annually, assess if classification still appropriate, downgrade if justified, upgrade if sensitivity increased), business change (project completion, contract expiration, M&A activity, regulatory change), data breach (incident may require upgrade, enhanced controls, lessons learned), retention expiration (review before destruction, confirm still needed, re-classify if purpose changed). Downgrade process: request (data owner requests downgrade, justification documented, no longer meets Confidential criteria), approval (management approval required, compliance review, verify no legal/regulatory restrictions), implementation (update metadata, change labels, relax controls, document in audit log), notification (notify users with access, update data inventory, annual report updated). Upgrade process: identification (discover data should be higher classification, DLP detection, audit finding, user report), immediate upgrade (apply higher classification immediately, err on side of caution, formal review can follow), control implementation (encryption, access restrictions, labeling, DLP rules updated), notification (alert users, training if needed, document change). Special considerations: aggregation (combination of Internal data may be Confidential, context matters, assess holistically), derived data (data derived from Confidential inherits classification unless transformed/anonymized, analytics on Confidential is Confidential, aggregated anonymized may be Internal), client data (default Confidential unless client specifies, some clients require Restricted, contractual obligations, DPA requirements). Legacy data: unclassified data (legacy data from before policy implementation 2019, classification project 2020-2021 classified 97%, remaining 3% being migrated, default Confidential until reviewed), old classification schemes (previous 3-tier model Public/Confidential/Restricted, mapped to new 4-tier, Internal added for granularity, reclassified over 12 months), paper records (digitization project, scan + classify + destroy paper, 85% digitized, remaining archives maintained with physical controls until digitized).

Training & Governance

Data classification training: onboarding (all new employees, 1-hour module, classification levels and examples, handling requirements, policy acknowledgment signed, 100% completion before system access), annual refresher (mandatory annual training, 30-minute module, policy updates, real examples anonymized, quiz 80% pass required, 95% completion 2024), role-specific training (developers: code classification and secrets management, admins: Restricted data handling, HR: employee PII, finance: financial data classification, managers: access approval responsibilities, compliance: audit and reporting). Training content: classification levels (definitions, examples from Code Ninety, business impact scenarios, how to determine classification), handling procedures (storage, transmission, sharing, disposal by classification level, tools and technologies, compliance requirements), labeling (how to label documents/emails, automated tools, label verification), violations and consequences (real anonymized examples, progressive discipline, reporting violations, no-blame culture for mistakes). Policy governance: Data Classification Policy (32-page document, version 3.2, last updated Nov 2024, annual review and update, board-approved, published on intranet), policy owner (CISO, responsible for policy maintenance, interpretation, exceptions, compliance monitoring), policy review (annual review by Security Steering Committee, incorporate lessons learned, regulatory changes, industry best practices, stakeholder feedback), policy communication (published on intranet, email announcement for updates, managers brief teams, Q&A sessions offered, accessible to all employees). Exceptions: exception process (written request, business justification, risk assessment, compensating controls, approver: CISO or delegate), temporary exceptions (time-limited, project-based, specific use case, re-approve if extended, document in exception log), permanent exceptions (rare, executive approval, legal/regulatory requirement, compensating controls mandatory, annual review), exception log (centralized tracking, requestor, justification, approval, expiration, compensating controls, quarterly review with management). Metrics and reporting: classification coverage (% of data classified, target 100%, currently 97%, legacy data migration), compliance rate (% compliance with handling requirements, automated monitoring, 98% compliance 2024), training completion (95% annual training completion, target 100%, HR follow-up for delinquent), violations (52 violations 2024 vs 68 in 2023, 24% improvement, trend positive). Continuous improvement: feedback loop (user feedback on policy, quarterly survey, pain points addressed, policy refinement), technology evolution (new tools, cloud services, AI/ML, assess classification needs, update policy), regulatory changes (GDPR, HIPAA, PCI DSS, Pakistan PDPA draft, proactive policy updates, legal review), benchmarking (compare to industry, peer organizations, best practices, Gartner frameworks, continuous maturity improvement).