Data Classification Template

blank

blank

blank

1. General Information

blank

blank

blank

blank

ORGANIZATION

[Insert name of organization here]

DATE ADOPTED

[Insert date adopted here]

2. Data Classification Levels

Public

Sensitive

Confidential

Regulated

Definition

Information that is freely and without reservation made available

to the public.

Information that could be subject to release under an open records Information that typically is excepted from the Public Information
requests, but should be controled to protect third parties
Act

Information that is controlled by a state or federal regulation or

other 3rd party agreement

Justification

Access to some information, such as published reports, agency

news, and other public related materials, does not need to be
tracked or monitored. In such circumstances, it is most efficient to
keep the information available for citizen access without requiring
the intervention of state employees.

Some information, even though it is available to the public, may

contain sensitive information. Such data should be vetted/verified
before it is released. By protecting access to the data and requiring
an open records request, the organization ensures that the most
accurate and relevant data is provided to the requestor without
accidentally disclosing confidential data.

State agencies and institutes of higher education collect and

maintain some information that is protected from disclosure either
through a codified exception to the Public Information Act or
through opinions or decisions of the Attorney Generals Public
Information office. Such information may also be subject to breach
notification requirements under Texas law.

Many agencies and institutes of higher education interact with the

federal government or perform services that are regulated by
federal rules and laws. In such instances, the information
maintained by those agencies must comply with federal controls.

Examples

Information that is published to the public website and requires no Data that meets the definition of PII under the Texas Business and
authentication
Commerce Code 521.002(a)(1) and 521.002(a)(2)
Agency publications
Employee Records
Press releases
Gross Salary Information
Public web postings

Data that has been excepted from public release under the Texas
Government Code Ch. 552 or data, whose pubic release, may
result in adverse consequences to the organization
Attorney-Client communications
Computer Vulnerability Reports
Protected draft communications
Net salary information

Data that meets the definition of SPI under the Texas Business and
Commerce Code 521.002(a)(1) and 521.002(a)(2): HIPAA Security
(45 CFR Parts 164), PCI DSS v2.0, FTI, FICA, tax information

Consequence of Public Disclosure

No adverse consequences

Loss of reputation
Loss of trust

Potential criminal or civil penalties

Federal investigation or loss of right to collect revenue

Sample Security Controls

blank

blank

blank

blank

3. Roles and Responsibilities

Public

Sensitive

Confidential

Regulated

Data Custodian

Ensure systems support access controls which enforce data

classification

Ensure systems support access controls which enforce data

classification

Ensure systems support access controls which enforce data

classification

Ensure systems support access controls which enforce data

classification

Data Owner

Identify the classification level of data

Review audit logs

Identify the classification level of data

Review audit logs

Identify the classification level of data

Review audit logs

Identify the classification level of data

Review audit logs

Information Security Officer

Develop and maintain information security policies,

procedures, and guidelines
Provide guidance on data classifications

Develop and maintain information security policies,

procedures, and guidelines
Provide guidance on data classifications

Develop and maintain information security policies,

procedures, and guidelines
Provide guidance on data classifications

Develop and maintain information security policies,

procedures, and guidelines
Provide guidance on data classifications

Legal and/or Privacy Office

(Public Information Officer)

Develop and maintain information security policies,

procedures, and guidelines.
Provide guidance on data classifications

Develop and maintain information security policies,

procedures, and guidelines.
Provide guidance on data classifications

Develop and maintain information security policies,

procedures, and guidelines.
Provide guidance on data classifications

Develop and maintain information security policies,

procedures, and guidelines.
Provide guidance on data classifications

Managers

n/a

Ensure users are aware of data classification requirements

Monitor user activities to ensure compliance

Ensure users are aware of data classification requirements

Monitor user activities to ensure compliance

Ensure users are aware of data classification requirements

Monitor user activities to ensure compliance

Users

n/a

Identify, and Label where appropriate, Data

Properly Dispose of Data

Identify, and Label where appropriate, Data

Properly Dispose of Data

Identify, and Label where appropriate, Data

Properly Dispose of Data

DATA CLASSIFICATION TEMPLATE

PAGE 1 OF 5

4. Data Controls

Public

Sensitive

Confidential

Regulated

Marking

n/a

All sensitive data shall be marked as such

Special handling instructions must be provided

Handling

n/a

n/a

Confidential data shall only be given to those persons with

authorization and a need to know

Confidential data shall only be given to those persons with

authorization and a need to know

Duplication

n/a

Mailing

n/a

Information to be duplicated for business purposes or in

response to an "Open Records" request only
n/a

Employees can duplicate confidential documents with data

owners authorization
n/a

Employees can duplicate confidential documents with data

owners authorization
Confirmation of receipt required
May require double-packaged delivery. Outside of the
package is not marked. Inside paperwork is appropriately
marked.

Disposition

Disposition based on requirements of the records retention Disposition based on requirements of the records retention Disposition based on requirements of the records retention
schedule.
schedule.
schedule.
Physical destruction required (e.g. shredding)
Destruction must be verified by agency personnel

Disposition based on requirements of the records retention

schedule.
Physical destruction required (e.g. shredding)
Destruction must be verified by agency personnel

Storage of hardcopy

Store a "Master copy" in compliance with records retention Store a "Master copy" in compliance with records retention
schedule.
schedule.
Documents should be locked up when not in use (e.g., in
locked desk, cabinet or office)

Store a "Master copy" in compliance with records retention

schedule.
Documents should be locked up when not in use (e.g., in
locked desk, cabinet or office)

Store a "Master copy" in compliance with records retention

schedule.
Documents should be locked up when not in use (e.g., in
locked desk, cabinet or office)

Storage on fixed media

n/a

Access is password controlled

Access is password controlled

Encryption required

Access is password controlled

Encryption required

Storage on removable media

n/a

Encryption recommended

Encryption required.

Encryption required.

5. Access Controls

Public

Sensitive

Confidential

Regulated

Granting Access Rights

No Restrictions

Data owner only

Data owner only

Data owner only

Read Access

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Update Access

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other
unauthorized activities

Information owner defines permissions by user/role

Access highly restricted or controlled
Information owner defines permissions by user/role
Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other
unauthorized activities

Information owner defines permissions by user/role

Access highly restricted or controlled
Information owner defines permissions by user/role
Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other
unauthorized activities

Delete Access

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Information owner defines permissions by user/role

Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other
unauthorized activities

Information owner defines permissions by user/role

Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other
unauthorized activities

6. Transimssion Controls

Public

Sensitive

Confidential

Regulated

Print Controls

No restrictions

Information owner define permissions

Output routed to pre-defined printer and monitored or secure Output routed to pre-defined printer and monitored or secure
printing enabled
printing enabled

Transmission by public network

No restrictions

Encryption Recommended

Encryption Required

Encryption Required

Release to Third Paries

No restrictions

No restrictions

Owner Approval and Non-Disclosure Agreement

Owner Approval and Non-Disclosure Agreement

DATA CLASSIFICATION TEMPLATE

All sensitive data shall be marked as such

Special handling instructions must be provided
Each page if loose sheets
Front and back covers, and title page if bound

All sensitive data shall be marked as such

Special handling instructions must be provided
Each page if loose sheets
Front and back covers, and title page if bound

PAGE 2 OF 5

7. Audit Controls

Public

Sensitive

Confidential

Regulated

Tracking Process by Log

n/a

n/a

Recipients, Copies Made, Locations, Addresses, Those Who

Viewed, and Destruction

Recipients, Copies Made, Locations, Addresses, Those Who

Viewed, and Destruction

Auditing acess activity

n/a

IT system should be configured to log all violation attempts.

Audit trails should be maintained to provide for accountability
of modifications to information resources and for all changes
to automated security/access rules

IT system should be configured to log all violation attempts.

Audit trails should be maintained to provide for accountability
of modifications to information resources and for all changes
to automated security/access rules

IT system should be configured to log all violation attempts.

Audit trails should be maintained to provide for accountability
of modifications to information resources and for all changes
to automated security/access rules

Retention criteria for Access

Reports

Logs must be retained in accordance with records retention

guidelines

Logs must be retained in accordance with records retention

guidelines

Logs must be retained in accordance with records retention

guidelines

Logs must be retained in accordance with records retention

guidelines

Retention criteria for Access

Reports
Classification review cycle
timeframe

n/a

The owner determines retention of violation logs

The owner determines retention of violation logs

The owner determines retention of violation logs

Review & affirm date must be set but flexible, i.e., 1-2 years

Review & affirm date must be set but flexible, i.e., 1-2 years

Info Owner must review & affirm all info classification and
user rights, not to exceed 1 year

Info Owner must review & affirm all info classification and
user rights, not to exceed 1 year

8. Notification Requirements

Public

Sensitive

Confidential

Regulated

Required Disclosure to Data Subject No disclosure of public information

No disclosure of public information

No disclosure of public information

No disclosure of public information

Required Disclosure to Public

No disclosure of public information

No disclosure of public information

No disclosure of public information

No disclosure of public information

Required Disclosure to Federal

Partners

No disclosure of public information

No disclosure of public information

No disclosure of public information

No disclosure of public information

Required Disclosure to State

Partners

No disclosure of public information

No disclosure of public information

No disclosure of public information

No disclosure of public information

Required Disclosure to Third Parties No disclosure of public information

No disclosure of public information

No disclosure of public information

No disclosure of public information

DATA CLASSIFICATION TEMPLATE

PAGE 3 OF 5

Term

Definition

Reference