Data Classification Standard
The following document is an adaptation of UC Berkeley's Data Classification Standard. It is with their permission that these classifications are used as the framework for OutWorlders' own data classifications as long as the use is "exclusively for non-commercial purposes [and] attribution is provided to UC Berkeley."
Issue Date: April 10, 2018
Effective Date: [TBD/Draft Status]
Contact: Internet Coordinator, firstname.lastname@example.org
This document is a framework for assessing data sensitivity, measured by the adverse impact a breach of the data would have upon the organization. This standard provides the foundation for establishing protection profile requirements for each class of data.
For assistance with this standard, contact email@example.com (link sends e-mail).
This document covers OutWorlders member data. OutWorlders member data is information prepared, managed, used, or retained by an operating unit or volunteer of OutWorlders' Inc. relating to the activities or operations of the Organization. OutWorlders member data does not include individually-owned data, which is defined as an individual’s personal information that is not related to Organizational business.
This classification does not cover evaluation of data availability requirements.
Data classification does not alter public information access requirements. The federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.
Considerations for evaluating the potential adverse impact to the Organization due to loss of data confidentiality or integrity include:
- Loss of critical organization operations
- Negative financial impact (money lost, lost opportunities, the value of the data)
- Damage to the reputation of the Organization
- The potential for regulatory or legal action
- The requirement for corrective actions or repairs
- Violation of Organization's mission, policy, or principles
Data Classification Table
|Data Class||Adverse Impact||Sample Data (not an exhaustive list)|
|Protection Level 3||Extreme||Data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles.|
|Protection Level 2||High||Data elements with a statutory requirement for notification to affected parties in case of a confidentiality breach:
|Protection Level 1||Moderate||Information intended for release only on a need-to-know basis, including personal information not otherwise classified as Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:
|Protection Level 0||Limited or None||Information intended for public access, e.g.,:
If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "shared-fate" warrants an elevated data protection level.