Security station
Read Time, 5 min.

Data classification – the first step to protecting your companies sensitive data 

Data classification provides one of the most basic ways for organisations to determine and assign relative values to the data they possess. The process of data classification allows you to categorise your stored data by sensitivity and business impact so you understand associated risks with the data. Once complete, you can manage your data in ways that reflect its value to your company, instead of treating all data the same way.

Data exists in one of three basic states: at rest, in process, and in transit. All three require unique technical solutions for data classification, but the applied principles of data classification should be the same for each. Data that is classified as confidential needs to stay confidential when at rest, in process, and in transit.

Data can also be either structured or unstructured. Typical classification processes for structured data found in databases and spreadsheets are less complex and time-consuming to manage than those for unstructured data such as documents, source code, and email. Generally, business have more unstructured data than structured data.

Controlling access to data  

Authentication and authorization are often confused with each other and their roles misunderstood.

Authentication typically consists of at least two parts: a username or user ID to identify a user and a token, such as a password, to confirm that the username credential is valid. Authorization is the process of providing a user with access to an application, data set, file, or some other object. Assigning authenticated users the rights to use, modify or delete items, first requires a focus on classification.

Roles and responsibilities  

Authorization requires an understanding of the roles and responsibilities of a organization, cloud providers, and customers. Your cloud providers must have practices in place to prevent unauthorized access to customer data and they must be able to meet and support your compliance requirements. Cloud providers can help you manage risks but YOU need to ensure that your business’ data classification management is properly implemented first. Data classification responsibilities will vary based on which cloud service model is in place

diagram explaining the diferent responsibility for different cloud services

Classification process – where to begin?   

Many companies understand the need for data classification and want to implement it but face the same basic challenge: where to begin?  One effective and simple way to implement data classification is to use the PLAN, DO, CHECK, ACT model from the Microsoft Operations Framework (MOF).

  1. PLAN. Identify your data assets, and a data custodian to deploy the classification program, and develop protection profiles.
  2. DO. After you have agreed upon your data classification policies, deploy the program and implement enforcement technologies as needed for confidential data.
  3. CHECK. Check and validate reports to ensure that the tools and methods being used are effectively addressing the classification policies.
  4. ACT. Review the status of data access and review files and data that require revision using a reclassification and revision methodology to adopt changes and to address new risks.

Data Classification Model

Select Your Terminology 

Classification sensitivity levels table

Confidential (restricted) – This is typically Information that is classified as confidential or restricted can be catastrophic if compromised or lost. (Personal data, including personally identifiable information such as Social Security or national identification numbers, passport numbers, credit card numbers, driver’s license numbers, medical records, and health insurance policy ID number, Financial records, or specific intellectual property, Legal data, including potential attorney-privileged material)

For internal use only (sensitive)Information that is classified as sensitive, would not have a severe impact if lost or destroyed (email, excluding mailboxes from those identified as confidential). Types of data that can be considered sensitive such as extended personal data (for example, in the context of the EU GDPR), IP addresses, cookie identifiers, RFID tags, and location data. So anything that is not confidential. This classification can include most business data, because most files that are managed or used day-to-day can be classified as sensitive.

Public (unrestricted). Information that is classified as public includes data and files that are not critical to business needs or operations. This classification can also include data that has deliberately been released to the public for their use, such as marketing material or press announcements.

Define data ownership 

It’s important to establish a clear custodial chain of ownership for all data assets. The following table shows different ownership roles in data classification efforts and their respective rights.

Data ownership Roels and rights in data classification

  • The data ‘owner’ is the original creator of the data, who can delegate ownership and assign a custodian. When a file is created, the owner should be able to assign a classification, which means that they have the responsibility to understand what needs to be classified as confidential based on company policy.
  • Typically a ‘custodian’ can be implemented in an automated system. A custodian ensures that necessary access controls are provided and is responsible for managing and protecting assets.
  • An ‘administrator’ is responsible for ensuring that integrity is maintained, but they are not a data asset owner, custodian, or user. In fact, many administrator roles provide data container management services without having access to the data e.g. backup and restoration of the data, maintaining records of the assets, and choosing, acquiring, and operating the devices and storage that house the assets.
  • The ‘user’ includes anyone who is granted access to data or a file.

Data classification is the first step on the road to creating a framework for protecting your organisations’ sensitive data. The follow-on themes are:

  • Data retention, recovery, and disposal
  • Protecting confidential data
  • Data loss prevention

Today’s Technology today will allow you the right level of protection so that encryption travels with the data (or file), so you remain in control of who has access to your data, whether in the cloud, existing IT infrastructure, or on a user’s desktop and that your classified data remains confidential when at rest, in process, and in transit.

Free eBook: A crash course in security management - the keys to a better security posture

The way you manage your data and device security is a top priority in an evolving cyberthreat landscape

Discover more related articles per industry:


  • Surface Go

    Put more power in the hands of your Firstline Workers, wherever they are

    Firstline Workers are the day-to-day heroes of our public services; they’re often the first to engage with citizens, the first to represent your organization, and put your services into action. However, they’re often the last to get access to the latest technology. Better technology makes productivity more effective, by saving time and money, streamlining operations […]

Discover more related articles per dossier:

Customer Stories

  • Security Considerations for a Hybrid Working Environment

    Security Considerations for a Hybrid Working Environment

    Over the past 20 months, we’ve seen significant changes in the cyber security threat landscape that are having a major impact on organisations of every size in every sector. The frequency and sophistication of cyber events have increased significantly. Unfortunately, this has security implications, which need to be closely managed to mitigate the risks across the organisation. Microsoft recently released […]

Digital Transformation

  • Sofie using Surface in airport lounge

    Why technology is key to keeping a creative team connected

    The one-size-fits-all approach no longer works. Set working hours and rigidly defined job roles are out; flexibility and creativity are in. Everybody wants a ‘fluid’ workplace, where the boundaries between our work and our passions are blurred. Work should be fun. It should be empowering. It should be fulfilling. Defining how, where and when you work is a huge pull for talented […]

Security & Privacy


  • Microsoft Protect center

    Data in motion – how to protect it – 5 Key Considerations

    Data in motion – how to protect it – 5 Key Considerations  Now, more than ever, it’s critical to protect your data at the file level. Data is the most valuable asset you control. Losing intellectual property, a customer’s personally identifiable information (PII), financial information, and confidential memos can cause substantial damage. But it’s not […]