Data Classification Template blank blank blank

1. General Information blank blank blank blank

ORGANIZATION [Insert name of organization here]
DATE ADOPTED [Insert date adopted here]

2. Data Classification Levels Public Sensitive Confidential Regulated

Definition Information that is freely and without reservation made available Information that could be subject to release under an open Information that typically is excepted from the Public Information Information that is controlled by a state or federal regulation or
to the public. records requests, but should be controled to protect third parties Act other 3rd party agreement

Justification Access to some information, such as published reports, agency Some information, even though it is available to the public, may State agencies and institutes of higher education collect and Many agencies and institutes of higher education interact with
news, and other public related materials, does not need to be contain sensitive information. Such data should be maintain some information that is protected from disclosure the federal government or perform services that are regulated by
tracked or monitored. In such circumstances, it is most efficient vetted/verified before it is released. By protecting access to the either through a codified exception to the Public Information Act federal rules and laws. In such instances, the information
to keep the information available for citizen access without data and requiring an open records request, the organization or through opinions or decisions of the Attorney General’s Public maintained by those agencies must comply with federal controls.
requiring the intervention of state employees. ensures that the most accurate and relevant data is provided to Information office. Such information may also be subject to
the requestor without accidentally disclosing confidential data. breach notification requirements under Texas law.

Examples Information that is published to the public website and requires Data that meets the definition of PII under the Texas Business Data that has been excepted from public release under the Texas Data that meets the definition of SPI under the Texas Business
no authentication and Commerce Code §521.002(a)(1) and §521.002(a)(2) Government Code Ch. 552 or data, whose pubic release, may and Commerce Code 521.002(a)(1) and 521.002(a)(2): HIPAA
• Agency publications • Employee Records result in adverse consequences to the organization Security (45 CFR Parts 164), PCI DSS v2.0, FTI, FICA, tax
• Press releases • Gross Salary Information • Attorney-Client communications information
• Public web postings • Computer Vulnerability Reports
• Protected draft communications
• Net salary information

Consequence of Public Disclosure No adverse consequences • Loss of reputation Potential criminal or civil penalties Federal investigation or loss of right to collect revenue
• Loss of trust

Sample Security Controls blank blank blank blank

3. Roles and Responsibilities Public Sensitive Confidential Regulated

Data Custodian Ensure systems support access controls which enforce data Ensure systems support access controls which enforce data Ensure systems support access controls which enforce data Ensure systems support access controls which enforce data
classification classification classification classification
Data Owner • Identify the classification level of data • Identify the classification level of data • Identify the classification level of data • Identify the classification level of data
• Review audit logs • Review audit logs • Review audit logs • Review audit logs
Information Security Officer • Develop and maintain information security policies, • Develop and maintain information security policies, • Develop and maintain information security policies, • Develop and maintain information security policies,
procedures, and guidelines procedures, and guidelines procedures, and guidelines procedures, and guidelines
• Provide guidance on data classifications • Provide guidance on data classifications • Provide guidance on data classifications • Provide guidance on data classifications

Legal and/or Privacy Office • Develop and maintain information security policies, • Develop and maintain information security policies, • Develop and maintain information security policies, • Develop and maintain information security policies,
(Public Information Officer) procedures, and guidelines. procedures, and guidelines. procedures, and guidelines. procedures, and guidelines.
• Provide guidance on data classifications • Provide guidance on data classifications • Provide guidance on data classifications • Provide guidance on data classifications

Managers n/a • Ensure users are aware of data classification requirements • Ensure users are aware of data classification requirements • Ensure users are aware of data classification requirements
• Monitor user activities to ensure compliance • Monitor user activities to ensure compliance • Monitor user activities to ensure compliance

Users n/a • Identify, and Label where appropriate, Data • Identify, and Label where appropriate, Data • Identify, and Label where appropriate, Data
• Properly Dispose of Data • Properly Dispose of Data • Properly Dispose of Data

DATA CLASSIFICATION TEMPLATE PAGE 1 OF 4

4. Data Controls Public Sensitive Confidential Regulated
Marking n/a • All sensitive data shall be marked as such • All sensitive data shall be marked as such • All sensitive data shall be marked as such
• Special handling instructions must be provided • Special handling instructions must be provided • Special handling instructions must be provided
• Each page if loose sheets • Each page if loose sheets
• Front and back covers, and title page if bound • Front and back covers, and title page if bound

Handling n/a n/a Confidential data shall only be given to those persons with Confidential data shall only be given to those persons with
authorization and a need to know authorization and a need to know
Duplication n/a Information to be duplicated for business purposes or in Employees can duplicate confidential documents with data Employees can duplicate confidential documents with data
response to an "Open Records" request only owners authorization owners authorization
Mailing n/a n/a n/a • Confirmation of receipt required
• May require double-packaged delivery. Outside of the
package is not marked. Inside paperwork is appropriately
marked.

Disposition • Disposition based on requirements of the records • Disposition based on requirements of the records • Disposition based on requirements of the records • Disposition based on requirements of the records
retention schedule. retention schedule. retention schedule. retention schedule.
• Physical destruction required (e.g. shredding) • Physical destruction required (e.g. shredding)
• Destruction must be verified by agency personnel • Destruction must be verified by agency personnel

Storage of hardcopy • Store a "Master copy" in compliance with records • Store a "Master copy" in compliance with records • Store a "Master copy" in compliance with records • Store a "Master copy" in compliance with records
retention schedule. retention schedule. retention schedule. retention schedule.
• Documents should be locked up when not in use (e.g., in • Documents should be locked up when not in use (e.g., in • Documents should be locked up when not in use (e.g., in
locked desk, cabinet or office) locked desk, cabinet or office) locked desk, cabinet or office)

Storage on fixed media n/a • Access is password controlled • Access is password controlled • Access is password controlled
• Encryption required • Encryption required
Storage on removable media n/a Encryption recommended Encryption required. Encryption required.

5. Access Controls Public Sensitive Confidential Regulated

Granting Access Rights No Restrictions Data owner only Data owner only Data owner only
Read Access • Information owner defines permissions by user/role • Information owner defines permissions by user/role • Information owner defines permissions by user/role • Information owner defines permissions by user/role
• Access highly restricted or controlled • Access highly restricted or controlled
Update Access • Information owner defines permissions by user/role • Information owner defines permissions by user/role • Information owner defines permissions by user/role • Information owner defines permissions by user/role
• Controls (e.g., separation of duties) needed for processes • Controls (e.g., separation of duties) needed for processes • Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other and transactions that are susceptible to fraudulent or other and transactions that are susceptible to fraudulent or other
unauthorized activities unauthorized activities unauthorized activities

Delete Access • Information owner defines permissions by user/role • Information owner defines permissions by user/role • Information owner defines permissions by user/role • Information owner defines permissions by user/role
• Controls (e.g., separation of duties) needed for processes • Controls (e.g., separation of duties) needed for processes
and transactions that are susceptible to fraudulent or other and transactions that are susceptible to fraudulent or other
unauthorized activities unauthorized activities

6. Transimssion Controls Public Sensitive Confidential Regulated

Print Controls No restrictions Information owner define permissions Output routed to pre-defined printer and monitored or Output routed to pre-defined printer and monitored or
secure printing enabled secure printing enabled
Transmission by public network No restrictions Encryption Recommended Encryption Required Encryption Required
Release to Third Paries No restrictions No restrictions Owner Approval and Non-Disclosure Agreement Owner Approval and Non-Disclosure Agreement

DATA CLASSIFICATION TEMPLATE PAGE 2 OF 4

7. Audit Controls Public Sensitive Confidential Regulated
Tracking Process by Log n/a n/a Recipients, Copies Made, Locations, Addresses, Those Who Recipients, Copies Made, Locations, Addresses, Those Who
Viewed, and Destruction Viewed, and Destruction
Auditing acess activity n/a IT system should be configured to log all violation attempts. IT system should be configured to log all violation attempts. IT system should be configured to log all violation attempts.
Audit trails should be maintained to provide for Audit trails should be maintained to provide for Audit trails should be maintained to provide for
accountability of modifications to information resources accountability of modifications to information resources accountability of modifications to information resources
and for all changes to automated security/access rules and for all changes to automated security/access rules and for all changes to automated security/access rules

Retention criteria for Access Reports Logs must be retained in accordance with records retention Logs must be retained in accordance with records retention Logs must be retained in accordance with records retention Logs must be retained in accordance with records retention
guidelines guidelines guidelines guidelines
Retention criteria for Access Reports n/a The owner determines retention of violation logs The owner determines retention of violation logs The owner determines retention of violation logs
Classification review cycle timeframe Review & affirm date must be set but flexible, i.e., 1-2 years Review & affirm date must be set but flexible, i.e., 1-2 years Info Owner must review & affirm all info classification and Info Owner must review & affirm all info classification and
user rights, not to exceed 1 year user rights, not to exceed 1 year

8. Notification Requirements Public Sensitive Confidential Regulated

Required Disclosure to Data Subject No disclosure of public information No disclosure of public information No disclosure of public information No disclosure of public information

Required Disclosure to Public No disclosure of public information No disclosure of public information No disclosure of public information No disclosure of public information

Required Disclosure to Federal No disclosure of public information No disclosure of public information No disclosure of public information No disclosure of public information
Partners

Required Disclosure to State Partners No disclosure of public information No disclosure of public information No disclosure of public information No disclosure of public information

Required Disclosure to Third Parties No disclosure of public information No disclosure of public information No disclosure of public information No disclosure of public information

DATA CLASSIFICATION TEMPLATE PAGE 3 OF 4

Term Definition Reference