# Data Classification (Governance Overview) One-sentence definition: Organizational labeling of information (e.g., Public, Internal, Confidential, Restricted) to guide handling and protection. ## Key Facts - Owners assign classifications; custodians implement handling controls. - Drives access control, encryption, retention, and sharing rules. - Must be simple, consistent, and communicated (labels/markings). - Includes data lifecycle: create → store → use → share → archive → destroy. - Exceptions require owner approval and logging. - Ties to legal/regulatory data types (PII, PHI, PCI data). - **Label:** **Handling** rules derive from classification. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose appropriate control set by classification level. **Mnemonic:** “Label → Handle.” ## Mini Scenario Q: A vendor requests sample data; what’s first? A: Check classification; use anonymization or DUA if sensitive. ## Revision Checklist - List 4 typical classification levels. - Name 3 handling controls for “Confidential.” - Identify who assigns classification. ## Related [[Security Roles and Responsibilities]] · [[Security Governance]] · [[Compliance and Regulatory Concepts]] · [[Privacy Principles and Data Protection]] · [[Control Types and Categories]] · [[Domain 1 - Index]]