After this lesson, you will be able to: Classify data into tiers and understand why classification drives every other control.
You can't protect what you haven't categorized. Data classification assigns sensitivity tiers, public, internal, confidential, restricted, and each tier triggers specific controls (encryption, access, retention).
Public, anyone can see (marketing pages, press releases). Internal, employees only (org charts, internal wikis). Confidential, restricted to specific roles (HR, financial reports). Restricted, strictly need-to-know (PII, source code, M&A docs, encryption keys).
1. Define tiers in policy (CEO/CISO sign-off).
2. Create labels (Microsoft Purview, Google Drive labels).
3. Train employees: every new doc gets a label.
4. Use auto-classification (regex/ML) for legacy data.
5. Audit, sample documents, check labels match content.
PII (Personally Identifiable Information): names, SSNs, emails. PHI (Protected Health Information): governed by HIPAA. PCI (Payment Card Information): governed by PCI-DSS. Each triggers its own legal requirements.
Choose: Public, Internal, Confidential, Restricted.
Sign in and purchase access to unlock this lesson.