data-classification
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseData Classification
数据分类
Comprehensive guidance for data classification, handling requirements, and data lifecycle management.
提供数据分类、处理要求以及数据生命周期管理的全面指导。
When to Use This Skill
何时使用本技能
- Establishing data classification policies
- Defining handling requirements for different data types
- Designing data protection controls by classification
- Implementing data labeling and tagging
- Creating data retention and disposal procedures
- 制定数据分类政策
- 定义不同数据类型的处理要求
- 根据分类设计数据保护控制措施
- 实施数据标签标注
- 制定数据保留与处置流程
Classification Framework
分类框架
Standard Sensitivity Levels
标准敏感度等级
| Level | Description | Examples | Impact of Breach |
|---|---|---|---|
| Public | Intentionally public | Marketing, published docs | None |
| Internal | General business use | Policies, org charts | Minimal |
| Confidential | Business sensitive | Financial reports, contracts | Moderate |
| Restricted | Highly sensitive | PII, PHI, trade secrets | Severe |
| Top Secret | Critical/regulated | Encryption keys, M&A data | Catastrophic |
| 等级 | 描述 | 示例 | 泄露影响 |
|---|---|---|---|
| 公开 | 有意公开的内容 | 营销资料、已发布文档 | 无 |
| 内部 | 一般业务用途 | 政策文件、组织架构图 | 极小 |
| 机密 | 业务敏感内容 | 财务报告、合同 | 中等 |
| 受限 | 高度敏感内容 | PII、PHI、商业机密 | 严重 |
| 绝密 | 关键/受监管内容 | 加密密钥、并购数据 | 灾难性 |
Visual Labeling
可视化标签
text
┌─────────────────────────────────────────┐
│ █ PUBLIC │ Green
├─────────────────────────────────────────┤
│ █ INTERNAL - For Internal Use Only │ Blue
├─────────────────────────────────────────┤
│ █ CONFIDENTIAL - Authorized Only │ Yellow
├─────────────────────────────────────────┤
│ █ RESTRICTED - Need-to-Know Only │ Orange
├─────────────────────────────────────────┤
│ █ TOP SECRET - Strictly Controlled │ Red
└─────────────────────────────────────────┘text
┌─────────────────────────────────────────┐
│ █ PUBLIC │ Green
├─────────────────────────────────────────┤
│ █ INTERNAL - For Internal Use Only │ Blue
├─────────────────────────────────────────┤
│ █ CONFIDENTIAL - Authorized Only │ Yellow
├─────────────────────────────────────────┤
│ █ RESTRICTED - Need-to-Know Only │ Orange
├─────────────────────────────────────────┤
│ █ TOP SECRET - Strictly Controlled │ Red
└─────────────────────────────────────────┘Handling Requirements Matrix
处理要求矩阵
By Classification Level
按分类等级划分
| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Access Control | None | Authentication | RBAC | Need-to-know + MFA |
| Encryption at Rest | Optional | Recommended | Required | Required + HSM |
| Encryption in Transit | HTTPS | TLS 1.2+ | TLS 1.2+ | TLS 1.3 + mTLS |
| Backup | Standard | Standard | Encrypted | Encrypted + geo-separate |
| Sharing External | Allowed | Approval | NDA required | Prohibited |
| Cloud Storage | Any | Approved cloud | Approved + encryption | On-premises or approved |
| Allowed | Allowed | Watermarked | Prohibited/tracked | |
| Retention | As needed | 3 years | 7 years | 7 years + legal hold |
| Disposal | Standard delete | Secure delete | Cryptographic erase | Physical destruction |
| 要求 | 公开 | 内部 | 机密 | 受限 |
|---|---|---|---|---|
| 访问控制 | 无 | 身份验证 | RBAC(基于角色的访问控制) | 按需知晓 + MFA(多因素认证) |
| 静态数据加密 | 可选 | 推荐 | 必需 | 必需 + HSM(硬件安全模块) |
| 传输中数据加密 | HTTPS | TLS 1.2+ | TLS 1.2+ | TLS 1.3 + mTLS(双向传输层安全) |
| 备份 | 标准备份 | 标准备份 | 加密备份 | 加密备份 + 异地存储 |
| 外部共享 | 允许 | 需审批 | 需签署NDA(保密协议) | 禁止 |
| 云存储 | 任意云平台 | 已批准的云平台 | 已批准平台 + 加密 | 本地存储或已批准平台 |
| 打印 | 允许 | 允许 | 需添加水印 | 禁止/需追踪 |
| 保留期限 | 按需保留 | 3年 | 7年 | 7年 + 法定保留 |
| 处置方式 | 标准删除 | 安全删除 | 加密擦除 | 物理销毁 |
Data Flow Controls
数据流控制
text
Restricted Data Flow:
┌──────────────┐ Encrypted ┌──────────────┐
│ Source │ ───────────────▶ │ Destination │
│ System │ │ System │
└──────────────┘ └──────────────┘
│ │
▼ ▼
Audit Log Audit Log
│ │
▼ ▼
┌────────────────────────────────────────────┐
│ SIEM / Monitoring │
└────────────────────────────────────────────┘text
Restricted Data Flow:
┌──────────────┐ Encrypted ┌──────────────┐
│ Source │ ───────────────▶ │ Destination │
│ System │ │ System │
└──────────────┘ └──────────────┘
│ │
▼ ▼
Audit Log Audit Log
│ │
▼ ▼
┌────────────────────────────────────────────┐
│ SIEM / Monitoring │
└────────────────────────────────────────────┘Classification Implementation
分类实施
.NET Data Annotation Approach
.NET 数据注解方法
csharp
// Classification attributes
[AttributeUsage(AttributeTargets.Property | AttributeTargets.Class)]
public class DataClassificationAttribute : Attribute
{
public DataClassification Level { get; }
public string? DataCategory { get; set; }
public string? RetentionPolicy { get; set; }
public string[] RequiredRoles { get; set; } = Array.Empty<string>();
public DataClassificationAttribute(DataClassification level)
{
Level = level;
}
}
public enum DataClassification
{
Public = 0,
Internal = 1,
Confidential = 2,
Restricted = 3,
TopSecret = 4
}
// Usage on domain models
public class Customer
{
public Guid Id { get; set; }
[DataClassification(DataClassification.Internal)]
public string Name { get; set; } = string.Empty;
[DataClassification(DataClassification.Restricted,
DataCategory = "PII",
RequiredRoles = new[] { "CustomerAdmin", "Support" })]
public string Email { get; set; } = string.Empty;
[DataClassification(DataClassification.Restricted,
DataCategory = "PII",
RetentionPolicy = "7years")]
public string SocialSecurityNumber { get; set; } = string.Empty;
[DataClassification(DataClassification.Confidential,
DataCategory = "Financial")]
public decimal CreditLimit { get; set; }
}csharp
// Classification attributes
[AttributeUsage(AttributeTargets.Property | AttributeTargets.Class)]
public class DataClassificationAttribute : Attribute
{
public DataClassification Level { get; }
public string? DataCategory { get; set; }
public string? RetentionPolicy { get; set; }
public string[] RequiredRoles { get; set; } = Array.Empty<string>();
public DataClassificationAttribute(DataClassification level)
{
Level = level;
}
}
public enum DataClassification
{
Public = 0,
Internal = 1,
Confidential = 2,
Restricted = 3,
TopSecret = 4
}
// Usage on domain models
public class Customer
{
public Guid Id { get; set; }
[DataClassification(DataClassification.Internal)]
public string Name { get; set; } = string.Empty;
[DataClassification(DataClassification.Restricted,
DataCategory = "PII",
RequiredRoles = new[] { "CustomerAdmin", "Support" })]
public string Email { get; set; } = string.Empty;
[DataClassification(DataClassification.Restricted,
DataCategory = "PII",
RetentionPolicy = "7years")]
public string SocialSecurityNumber { get; set; } = string.Empty;
[DataClassification(DataClassification.Confidential,
DataCategory = "Financial")]
public decimal CreditLimit { get; set; }
}Classification-Based Access Control
基于分类的访问控制
csharp
public class ClassificationAuthorizationHandler
: AuthorizationHandler<DataAccessRequirement, object>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
DataAccessRequirement requirement,
object resource)
{
var classificationAttr = resource.GetType()
.GetCustomAttribute<DataClassificationAttribute>();
if (classificationAttr == null)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
var userClearance = GetUserClearanceLevel(context.User);
// User clearance must meet or exceed data classification
if ((int)userClearance >= (int)classificationAttr.Level)
{
// Check role requirements if specified
if (classificationAttr.RequiredRoles.Length > 0)
{
var hasRequiredRole = classificationAttr.RequiredRoles
.Any(r => context.User.IsInRole(r));
if (hasRequiredRole)
{
context.Succeed(requirement);
}
}
else
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}csharp
public class ClassificationAuthorizationHandler
: AuthorizationHandler<DataAccessRequirement, object>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
DataAccessRequirement requirement,
object resource)
{
var classificationAttr = resource.GetType()
.GetCustomAttribute<DataClassificationAttribute>();
if (classificationAttr == null)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
var userClearance = GetUserClearanceLevel(context.User);
// User clearance must meet or exceed data classification
if ((int)userClearance >= (int)classificationAttr.Level)
{
// Check role requirements if specified
if (classificationAttr.RequiredRoles.Length > 0)
{
var hasRequiredRole = classificationAttr.RequiredRoles
.Any(r => context.User.IsInRole(r));
if (hasRequiredRole)
{
context.Succeed(requirement);
}
}
else
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}Field-Level Encryption
字段级加密
csharp
public class ClassificationBasedEncryption
{
private readonly IEncryptionService _encryptionService;
public async Task<T> ProtectData<T>(T data, CancellationToken ct) where T : class
{
var properties = typeof(T).GetProperties()
.Where(p => p.GetCustomAttribute<DataClassificationAttribute>() != null);
foreach (var prop in properties)
{
var attr = prop.GetCustomAttribute<DataClassificationAttribute>()!;
if (attr.Level >= DataClassification.Confidential)
{
var value = prop.GetValue(data) as string;
if (!string.IsNullOrEmpty(value))
{
var encrypted = await _encryptionService.Encrypt(value, ct);
prop.SetValue(data, encrypted);
}
}
}
return data;
}
}csharp
public class ClassificationBasedEncryption
{
private readonly IEncryptionService _encryptionService;
public async Task<T> ProtectData<T>(T data, CancellationToken ct) where T : class
{
var properties = typeof(T).GetProperties()
.Where(p => p.GetCustomAttribute<DataClassificationAttribute>() != null);
foreach (var prop in properties)
{
var attr = prop.GetCustomAttribute<DataClassificationAttribute>()!;
if (attr.Level >= DataClassification.Confidential)
{
var value = prop.GetValue(data) as string;
if (!string.IsNullOrEmpty(value))
{
var encrypted = await _encryptionService.Encrypt(value, ct);
prop.SetValue(data, encrypted);
}
}
}
return data;
}
}Data Discovery and Inventory
数据发现与清单
Automated Classification
自动分类
csharp
public class DataDiscoveryService
{
private readonly IRegexPatternMatcher _patternMatcher;
public ClassificationSuggestion AnalyzeContent(string content)
{
var detections = new List<DataTypeDetection>();
// Check for PII patterns
if (_patternMatcher.ContainsPattern(content, PiiPatterns.SocialSecurityNumber))
detections.Add(new DataTypeDetection("SSN", DataClassification.Restricted));
if (_patternMatcher.ContainsPattern(content, PiiPatterns.CreditCard))
detections.Add(new DataTypeDetection("Credit Card", DataClassification.Restricted));
if (_patternMatcher.ContainsPattern(content, PiiPatterns.Email))
detections.Add(new DataTypeDetection("Email", DataClassification.Confidential));
if (_patternMatcher.ContainsPattern(content, PiiPatterns.PhoneNumber))
detections.Add(new DataTypeDetection("Phone", DataClassification.Confidential));
// Check for financial patterns
if (_patternMatcher.ContainsPattern(content, FinancialPatterns.BankAccount))
detections.Add(new DataTypeDetection("Bank Account", DataClassification.Restricted));
// Determine highest classification
var suggestedLevel = detections.Any()
? detections.Max(d => d.Classification)
: DataClassification.Internal;
return new ClassificationSuggestion
{
SuggestedLevel = suggestedLevel,
Detections = detections,
Confidence = CalculateConfidence(detections)
};
}
}
public static class PiiPatterns
{
public static readonly string SocialSecurityNumber = @"\b\d{3}-\d{2}-\d{4}\b";
public static readonly string CreditCard = @"\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b";
public static readonly string Email = @"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b";
public static readonly string PhoneNumber = @"\b\d{3}[-.]?\d{3}[-.]?\d{4}\b";
}csharp
public class DataDiscoveryService
{
private readonly IRegexPatternMatcher _patternMatcher;
public ClassificationSuggestion AnalyzeContent(string content)
{
var detections = new List<DataTypeDetection>();
// Check for PII patterns
if (_patternMatcher.ContainsPattern(content, PiiPatterns.SocialSecurityNumber))
detections.Add(new DataTypeDetection("SSN", DataClassification.Restricted));
if (_patternMatcher.ContainsPattern(content, PiiPatterns.CreditCard))
detections.Add(new DataTypeDetection("Credit Card", DataClassification.Restricted));
if (_patternMatcher.ContainsPattern(content, PiiPatterns.Email))
detections.Add(new DataTypeDetection("Email", DataClassification.Confidential));
if (_patternMatcher.ContainsPattern(content, PiiPatterns.PhoneNumber))
detections.Add(new DataTypeDetection("Phone", DataClassification.Confidential));
// Check for financial patterns
if (_patternMatcher.ContainsPattern(content, FinancialPatterns.BankAccount))
detections.Add(new DataTypeDetection("Bank Account", DataClassification.Restricted));
// Determine highest classification
var suggestedLevel = detections.Any()
? detections.Max(d => d.Classification)
: DataClassification.Internal;
return new ClassificationSuggestion
{
SuggestedLevel = suggestedLevel,
Detections = detections,
Confidence = CalculateConfidence(detections)
};
}
}
public static class PiiPatterns
{
public static readonly string SocialSecurityNumber = @"\b\d{3}-\d{2}-\d{4}\b";
public static readonly string CreditCard = @"\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b";
public static readonly string Email = @"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b";
public static readonly string PhoneNumber = @"\b\d{3}[-.]?\d{3}[-.]?\d{4}\b";
}Data Inventory Template
数据清单模板
yaml
Data Inventory Entry:
asset_id: DATA-001
name: Customer Database
description: Master customer records
owner: Customer Service Department
custodian: IT Operations
location:
- Azure SQL Database (prod-sql-001)
- Daily backup to Azure Blob Storage
data_categories:
- PII (names, emails, addresses)
- Financial (payment history, credit limits)
- Behavioral (purchase history)
classification: Restricted
volume: ~2M records
sensitivity_reason: Contains PII and financial data
regulatory_requirements:
- GDPR (EU customers)
- CCPA (California customers)
retention:
active: Duration of customer relationship
archived: 7 years after relationship ends
access:
roles:
- CustomerAdmin (full access)
- Support (read-only)
- Analytics (anonymized only)
mfa_required: true
vpn_required: true
encryption:
at_rest: AES-256 (Transparent Data Encryption)
in_transit: TLS 1.3
backup:
frequency: Daily
retention: 30 days
tested: Monthly
last_review: 2025-01-15
next_review: 2025-07-15yaml
Data Inventory Entry:
asset_id: DATA-001
name: Customer Database
description: Master customer records
owner: Customer Service Department
custodian: IT Operations
location:
- Azure SQL Database (prod-sql-001)
- Daily backup to Azure Blob Storage
data_categories:
- PII (names, emails, addresses)
- Financial (payment history, credit limits)
- Behavioral (purchase history)
classification: Restricted
volume: ~2M records
sensitivity_reason: Contains PII and financial data
regulatory_requirements:
- GDPR (EU customers)
- CCPA (California customers)
retention:
active: Duration of customer relationship
archived: 7 years after relationship ends
access:
roles:
- CustomerAdmin (full access)
- Support (read-only)
- Analytics (anonymized only)
mfa_required: true
vpn_required: true
encryption:
at_rest: AES-256 (Transparent Data Encryption)
in_transit: TLS 1.3
backup:
frequency: Daily
retention: 30 days
tested: Monthly
last_review: 2025-01-15
next_review: 2025-07-15Data Lifecycle Management
数据生命周期管理
Lifecycle Stages
生命周期阶段
text
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Create │───▶│ Store │───▶│ Use │───▶│ Archive │───▶│ Destroy │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
Classify Encrypt Monitor Restrict Certify
Label Access Ctrl Audit Log Read-only Disposaltext
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Create │───▶│ Store │───▶│ Use │───▶│ Archive │───▶│ Destroy │
└─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
Classify Encrypt Monitor Restrict Certify
Label Access Ctrl Audit Log Read-only DisposalRetention Policy Implementation
保留政策实施
csharp
public class DataRetentionService
{
private readonly IRetentionPolicyProvider _policies;
private readonly IAuditLogger _auditLogger;
public async Task ApplyRetentionPolicies(CancellationToken ct)
{
var policies = await _policies.GetActivePolicies(ct);
foreach (var policy in policies)
{
var expiredData = await FindExpiredData(policy, ct);
foreach (var item in expiredData)
{
switch (policy.Action)
{
case RetentionAction.Archive:
await ArchiveData(item, policy, ct);
break;
case RetentionAction.Anonymize:
await AnonymizeData(item, policy, ct);
break;
case RetentionAction.Delete:
await SecureDelete(item, policy, ct);
break;
}
await _auditLogger.LogRetentionAction(item, policy, ct);
}
}
}
private async Task SecureDelete(DataItem item, RetentionPolicy policy, CancellationToken ct)
{
var classification = item.Classification;
switch (classification)
{
case DataClassification.Public:
case DataClassification.Internal:
// Standard deletion
await _repository.Delete(item.Id, ct);
break;
case DataClassification.Confidential:
// Secure deletion with verification
await _repository.SecureDelete(item.Id, ct);
await VerifyDeletion(item.Id, ct);
break;
case DataClassification.Restricted:
case DataClassification.TopSecret:
// Cryptographic erasure + verification
await _encryptionService.DestroyKey(item.EncryptionKeyId, ct);
await _repository.SecureDelete(item.Id, ct);
await VerifyDeletion(item.Id, ct);
await GenerateDeletionCertificate(item, ct);
break;
}
}
}csharp
public class DataRetentionService
{
private readonly IRetentionPolicyProvider _policies;
private readonly IAuditLogger _auditLogger;
public async Task ApplyRetentionPolicies(CancellationToken ct)
{
var policies = await _policies.GetActivePolicies(ct);
foreach (var policy in policies)
{
var expiredData = await FindExpiredData(policy, ct);
foreach (var item in expiredData)
{
switch (policy.Action)
{
case RetentionAction.Archive:
await ArchiveData(item, policy, ct);
break;
case RetentionAction.Anonymize:
await AnonymizeData(item, policy, ct);
break;
case RetentionAction.Delete:
await SecureDelete(item, policy, ct);
break;
}
await _auditLogger.LogRetentionAction(item, policy, ct);
}
}
}
private async Task SecureDelete(DataItem item, RetentionPolicy policy, CancellationToken ct)
{
var classification = item.Classification;
switch (classification)
{
case DataClassification.Public:
case DataClassification.Internal:
// Standard deletion
await _repository.Delete(item.Id, ct);
break;
case DataClassification.Confidential:
// Secure deletion with verification
await _repository.SecureDelete(item.Id, ct);
await VerifyDeletion(item.Id, ct);
break;
case DataClassification.Restricted:
case DataClassification.TopSecret:
// Cryptographic erasure + verification
await _encryptionService.DestroyKey(item.EncryptionKeyId, ct);
await _repository.SecureDelete(item.Id, ct);
await VerifyDeletion(item.Id, ct);
await GenerateDeletionCertificate(item, ct);
break;
}
}
}Disposal Certification
处置证明
csharp
public class DisposalCertificate
{
public required Guid CertificateId { get; init; }
public required DateTimeOffset DisposalDate { get; init; }
public required string DataDescription { get; init; }
public required DataClassification Classification { get; init; }
public required string DisposalMethod { get; init; }
public required string PerformedBy { get; init; }
public required string WitnessedBy { get; init; }
public required string VerificationMethod { get; init; }
public required bool VerificationPassed { get; init; }
public string? Notes { get; init; }
}csharp
public class DisposalCertificate
{
public required Guid CertificateId { get; init; }
public required DateTimeOffset DisposalDate { get; init; }
public required string DataDescription { get; init; }
public required DataClassification Classification { get; init; }
public required string DisposalMethod { get; init; }
public required string PerformedBy { get; init; }
public required string WitnessedBy { get; init; }
public required string VerificationMethod { get; init; }
public required bool VerificationPassed { get; init; }
public string? Notes { get; init; }
}Labeling and Tagging
标签标注
Document Labeling
文档标签
csharp
public class DocumentLabeler
{
public async Task<LabeledDocument> ApplyLabel(
Document document,
DataClassification classification,
CancellationToken ct)
{
var label = new ClassificationLabel
{
Level = classification,
AppliedAt = DateTimeOffset.UtcNow,
AppliedBy = _currentUser.Id,
ExpiresAt = classification >= DataClassification.Confidential
? DateTimeOffset.UtcNow.AddYears(1) // Require re-classification
: null
};
// Add visual header/footer
if (document.Type == DocumentType.Word || document.Type == DocumentType.PDF)
{
await AddVisualLabel(document, label, ct);
}
// Add metadata
document.Metadata["classification"] = classification.ToString();
document.Metadata["classification_date"] = label.AppliedAt.ToString("O");
document.Metadata["classification_by"] = label.AppliedBy;
// Apply protection
if (classification >= DataClassification.Confidential)
{
await ApplyProtection(document, classification, ct);
}
return new LabeledDocument
{
Document = document,
Label = label
};
}
}csharp
public class DocumentLabeler
{
public async Task<LabeledDocument> ApplyLabel(
Document document,
DataClassification classification,
CancellationToken ct)
{
var label = new ClassificationLabel
{
Level = classification,
AppliedAt = DateTimeOffset.UtcNow,
AppliedBy = _currentUser.Id,
ExpiresAt = classification >= DataClassification.Confidential
? DateTimeOffset.UtcNow.AddYears(1) // Require re-classification
: null
};
// Add visual header/footer
if (document.Type == DocumentType.Word || document.Type == DocumentType.PDF)
{
await AddVisualLabel(document, label, ct);
}
// Add metadata
document.Metadata["classification"] = classification.ToString();
document.Metadata["classification_date"] = label.AppliedAt.ToString("O");
document.Metadata["classification_by"] = label.AppliedBy;
// Apply protection
if (classification >= DataClassification.Confidential)
{
await ApplyProtection(document, classification, ct);
}
return new LabeledDocument
{
Document = document,
Label = label
};
}
}Classification Policy Template
分类政策模板
markdown
undefinedmarkdown
undefinedData Classification Policy
数据分类政策
1. Purpose
1. 目的
Establish consistent data handling based on sensitivity.
基于数据敏感度建立统一的数据处理规范。
2. Scope
2. 适用范围
All data created, collected, stored, or processed by [Organization].
[组织]创建、收集、存储或处理的所有数据。
3. Classification Levels
3. 分类等级
3.1 Public
3.1 公开
Data intended for public disclosure.
- Examples: Marketing materials, press releases
- Handling: No special requirements
用于公开披露的数据。
- 示例:营销资料、新闻稿
- 处理要求:无特殊要求
3.2 Internal
3.2 内部
General business information.
- Examples: Policies, procedures, org charts
- Handling: Access limited to employees
一般业务信息。
- 示例:政策文件、流程文档、组织架构图
- 处理要求:仅限员工访问
3.3 Confidential
3.3 机密
Business-sensitive information.
- Examples: Financial reports, contracts, strategies
- Handling: Need-to-know access, encryption required
业务敏感信息。
- 示例:财务报告、合同、战略规划
- 处理要求:按需知晓访问权限,需加密
3.4 Restricted
3.4 受限
Highly sensitive, regulated data.
- Examples: PII, PHI, payment card data
- Handling: Strict access control, MFA, encryption, audit logging
高度敏感、受监管的数据。
- 示例:PII、PHI、支付卡数据
- 处理要求:严格访问控制、MFA、加密、审计日志
4. Roles and Responsibilities
4. 角色与职责
Data Owner
数据所有者
- Assign classification level
- Approve access requests
- Review classification annually
- 指定数据分类等级
- 审批访问请求
- 每年审核分类情况
Data Custodian
数据管理员
- Implement technical controls
- Manage access permissions
- Monitor for violations
- 实施技术控制措施
- 管理访问权限
- 监控违规行为
All Employees
所有员工
- Handle data per classification
- Report misclassification
- Protect sensitive data
- 根据分类要求处理数据
- 报告分类错误
- 保护敏感数据
5. Handling Requirements
5. 处理要求
[See matrix above]
[参见上方矩阵]
6. Non-Compliance
6. 不合规处理
Violations subject to disciplinary action.
违规行为将受到纪律处分。
7. Review
7. 政策审核
Policy reviewed annually.
undefined政策每年审核一次。
undefinedClassification Checklist
分类检查清单
Implementation
实施阶段
- Define classification levels
- Create handling requirements matrix
- Identify data owners
- Conduct data inventory
- Apply classifications to existing data
- Implement technical controls
- Train employees
- 定义分类等级
- 创建处理要求矩阵
- 确定数据所有者
- 开展数据清单梳理
- 为现有数据分配分类
- 实施技术控制措施
- 开展员工培训
Ongoing
持续运营
- Annual classification review
- New data assessment
- Access review
- Control effectiveness testing
- Policy updates
- 每年审核分类情况
- 评估新数据分类
- 审核访问权限
- 测试控制措施有效性
- 更新政策
Cross-References
交叉引用
- GDPR: for personal data
gdpr-compliance - HIPAA: for health data
hipaa-compliance - Security: for controls
security-frameworks
- GDPR:针对个人数据的
gdpr-compliance - HIPAA:针对健康数据的
hipaa-compliance - 安全:针对控制措施的
security-frameworks