# Data Classification Levels and Handling Rules One-sentence definition: Tiered sensitivity labels (e.g., Public, Internal, Confidential, Restricted) with prescribed controls for each. ## Key Facts - Owners assign labels; custodians enforce via technical/administrative controls. - Handling rules: encryption, access, sharing, logging, retention, disposal. - Keep schemes simple (3–5 levels) to reduce errors. - Aligns with legal categories (PII/PHI/PCI) and contracts. - Labels must travel with data (metadata/watermark/headers). - Periodic review; reclassify if context changes. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose correct control set for a given label. **Mnemonic:** “Label → Handle.” ## Mini Scenario Q: Email contains Restricted data—what must policy require? A: Encryption in transit, restricted recipients, no forwarding without approval. ## Revision Checklist - List 4 levels and a control for each. - Who assigns classification? - How should labels persist? ## Related [[Data Labeling and Marking]] · [[Access Control to Data Assets]] · [[Data Minimization and Purpose Limitation]] · [[Record Management and Data Retention]] · [[Data Loss Prevention (DLP)]] · [[Domain 2 - Index]]