Data Classification SOP

Sub-procedure for Innovate pillar digital transformation

Overview

This sub-procedure defines the methodology for classifying data assets based on sensitivity, regulatory requirements, and business impact. Classification enables appropriate security controls, access management, and compliance with data protection regulations.

Scope

Pillar: Innovate (Digital Transformation) Service Area: Data Governance Related Services: Compliance (HIPAA, SOC 2, PCI), Security

Prerequisites

• Data inventory completed (system and asset level)
• Data classification policy approved
• Regulatory requirements identified (HIPAA, PCI, GDPR, etc.)
• Classification schema defined and approved
• Data owners identified and engaged
• Classification tooling available (if automated)

Procedure

Step 1: Classification Framework Definition

Objective: Establish classification schema and criteria

1. Define classification levels:

Level	Label	Description	Examples
1	Public	No restrictions, publicly available	Marketing materials, public website
2	Internal	Internal use only, low sensitivity	Internal memos, org charts
3	Confidential	Business sensitive, restricted access	Financial data, contracts
4	Highly Confidential	Sensitive personal or regulated data	PII, PHI, payment data
5	Restricted	Highest sensitivity, strict controls	Trade secrets, credentials

1. Define classification criteria:
2. Regulatory applicability (HIPAA, PCI, GDPR)
3. Business impact if disclosed
4. Reputational impact
5. Legal/contractual requirements
6. Map regulations to data types
7. Define handling requirements per level
8. Document classification decision tree

Duration: 2-3 days Owner: Data Governance Lead / Security Lead

Step 2: Automated Discovery (if applicable)

Objective: Identify sensitive data using scanning tools

1. Configure data discovery tool:
2. Define scan targets (databases, files, cloud storage)
3. Configure detection patterns (SSN, credit card, PHI)
4. Set up sampling parameters
5. Execute discovery scans
6. Review and validate findings
7. Address false positives
8. Export discovery results for manual review

Duration: 3-5 days Owner: Data Engineer / Security Analyst

Step 3: Manual Classification Assessment

Objective: Classify data assets with business context

For each data asset/table:

1. Review data contents and purpose
2. Identify personal identifiable information (PII):
3. Names, addresses, phone numbers
4. Email addresses
5. Government IDs (SSN, passport)
6. Biometric data
7. Identify protected health information (PHI)
8. Identify financial/payment data (PCI scope)
9. Identify business confidential data
10. Assign classification level
11. Document classification rationale
12. Identify applicable regulations

Duration: 5-10 days (varies by scope) Owner: Data Analyst / Data Stewards

Step 4: Data Owner Validation

Objective: Validate classifications with data owners

1. Present classification results to data owners
2. Review classification rationale
3. Address disagreements and edge cases
4. Update classifications based on feedback
5. Obtain data owner approval
6. Document exceptions and rationale

Duration: 2-3 days Owner: Data Governance Lead

Step 5: Control Mapping

Objective: Map security controls to classification levels

1. Define control requirements per level:

Level	Access Control	Encryption	Logging	Retention	Disposal
Public	None	Optional	Basic	Flexible	Standard
Internal	Role-based	In transit	Standard	Policy-based	Standard
Confidential	Need-to-know	At rest + transit	Enhanced	Policy-based	Secure delete
Highly Confidential	Strict ACL	At rest + transit	Full audit	Regulatory	Certified disposal
Restricted	Explicit approval	Strong encryption	Full audit + alert	Minimal	Cryptographic erasure

1. Document control requirements
2. Identify control gaps
3. Create remediation roadmap
4. Prioritize based on risk

Duration: 2-3 days Owner: Security Lead

Step 6: Classification Publication

Objective: Publish and operationalize classifications

1. Update data catalog with classifications
2. Apply data labels/tags (if tooling supports)
3. Configure access controls based on classification
4. Update data handling procedures
5. Communicate classifications to stakeholders
6. Train data handlers on classification requirements
7. Establish classification review cadence (annual)

Duration: 2-3 days Owner: Data Governance Lead

Deliverables

Deliverable	Format	Owner
Classification Policy	Word/PDF	Data Governance Lead
Classification Schema	Word/PDF (appendix to policy)	Data Governance Lead
Classified Data Inventory	Excel/Data Catalog	Data Analyst
PII/PHI Inventory	Excel (restricted)	Security Lead
Control Mapping Matrix	Excel	Security Lead
Classification Training	PowerPoint/LMS	Data Governance Lead
Gap Remediation Plan	Excel/Project	Security Lead

Quality Gates

• Classification schema approved by legal/compliance
• 100% of in-scope data assets classified
• Automated discovery completed (if applicable)
• Data owner validation completed
• Control requirements mapped to classifications
• High/critical gaps identified with remediation plan
• Data catalog updated with classifications
• Staff trained on classification handling

Regulatory Mapping

Regulation	Data Types	Classification	Key Requirements
HIPAA	PHI (health information)	Highly Confidential	Access controls, encryption, audit
PCI DSS	Cardholder data	Highly Confidential	Encryption, network segmentation
GDPR	EU personal data	Confidential/Highly Confidential	Consent, data subject rights
CCPA	California personal data	Confidential	Opt-out, deletion rights
SOC 2	Customer data	Confidential	Security controls, monitoring
FERPA	Student records	Highly Confidential	Access restrictions, consent

Related Documents

• Cross-Pillar SOPs
• Data Inventory SOP
• Data Protection SOP
• Security Policy SOP
• HIPAA Gap SOP
• Templates

---

Last Updated: February 2026