Data Classification: Government vs Commercial Models and Why It Matters
Data classification is the process of organising data into categories based on its sensitivity, value, and the impact of its unauthorised disclosure, modification, or destruction. For the CISSP exam, data classification is fundamental to Domain 2 (Asset Security) because it drives all subsequent data protection decisions: what controls to apply, who can access data, how long to retain it, and how to dispose of it securely.
The exam tests both the classification models themselves and the roles responsible for classification decisions. Getting these roles wrong is one of the most common errors on Domain 2 questions.
Government Classification: Levels and Their Meanings
Government classification systems are designed to protect national security information. In the United States, Executive Order 13526 establishes three levels of classified information plus an unclassified category.
Top Secret is the highest level of classification. It is applied to information whose unauthorised disclosure could reasonably be expected to cause exceptionally grave damage to national security. Examples include intelligence sources and methods, war plans, and cryptographic keys used by intelligence agencies. Access to Top Secret information requires a Top Secret security clearance, which involves an extensive background investigation.
Secret is the middle classification level. It is applied to information whose unauthorised disclosure could reasonably be expected to cause serious damage to national security. Examples include military plans, foreign government information, and technical data for weapons systems. Access requires a Secret clearance.
Confidential is the lowest level of classified information. It is applied to information whose unauthorised disclosure could reasonably be expected to cause damage to national security. Access requires a Confidential clearance. This level is used for information that is sensitive but less critical than Secret or Top Secret.
Unclassified is not a security level but the absence of classification. Information that does not meet the criteria for classification may still be sensitive — it may be marked Sensitive But Unclassified (SBU), For Official Use Only (FOUO), or Controlled Unclassified Information (CUI) to indicate that it requires some protection even though it is not formally classified.
For the exam: government classification is based on the impact of unauthorised disclosure on national security. Access follows the need-to-know principle — having a clearance at a given level does not automatically grant access to all information at that level. The individual must also have a specific need to know.
Commercial Classification: A More Practical Model
Commercial organisations do not typically use the government classification hierarchy. Instead, they use a tiered model based on the sensitivity and business impact of the data.
The most common commercial classification scheme has four levels, though organisations may use different names:
Confidential (or Restricted) is the highest commercial classification level. It is applied to the most sensitive business information whose unauthorised disclosure could cause significant harm to the organisation. Examples include trade secrets, merger and acquisition plans, source code, and personally identifiable information in certain contexts. Access is restricted to specific named individuals or roles.
Private (or Internal Use Only) is applied to information that is sensitive to the organisation but would cause moderate harm if disclosed. Examples include employee records, internal financial reports, and internal strategy documents. Access is restricted to employees on a need-to-know basis.
Sensitive (or Proprietary) is applied to information that requires some protection but whose disclosure would cause limited harm. Examples include internal process documentation, general business correspondence, and training materials.
Public (or Unclassified) is applied to information intended for public release. Examples include press releases, published financial statements, and marketing materials. No access restrictions apply.
For the exam: the exact labels vary by organisation, but the concept is consistent. Know that commercial classification is based on business impact of disclosure, not national security impact.
Data Classification Roles: Owners, Custodians, and Users
This is the area of data classification most heavily tested on the CISSP exam. The three roles — data owner, data custodian, and data user — have distinct responsibilities that must not be confused.
The data owner is the individual or organisational unit that has ultimate accountability for a data asset. The data owner decides what classification label to apply (based on the data's sensitivity and value), who should be granted access, what controls are appropriate, and when the data should be retained or destroyed. The data owner is typically a business executive or process owner — not an IT person. A VP of Sales owns the customer relationship management data. A CFO owns the financial records. The data owner is responsible for classifying data and is accountable for data security decisions.
The data custodian is the individual or team responsible for implementing the security controls specified by the data owner. Custodians are typically IT staff: database administrators, systems administrators, and security engineers. The custodian backs up the data, enforces access controls as directed by the owner, maintains audit logs, and ensures the data is stored securely. The custodian does not make security policy decisions — they implement them.
The data user is any individual who accesses and uses data within the constraints established by the owner and implemented by the custodian. Users have an obligation to use data only for its intended purpose, handle it according to its classification, and report suspicious activity or policy violations.
A fourth role worth knowing: the data processor (from GDPR terminology) is a third party that processes data on behalf of the data controller (the owner). This distinction is relevant in cloud and outsourcing contexts.
For the exam: the single most tested distinction is data owner vs data custodian. When a question asks who is responsible for classifying newly created data — the data owner. When a question asks who implements access controls — the data custodian.
Asset Classification Beyond Data
Data classification is the most prominent aspect of Domain 2, but asset classification applies to all organisational assets, not just data.
Hardware assets include servers, workstations, network devices, storage media, and mobile devices. Classification of hardware assets considers the sensitivity of the data they process or store and the criticality of the function they perform. A server storing Top Secret data requires physical security controls proportionate to the data it holds.
Software assets include operating systems, applications, and licensed software. Classification considers the sensitivity of the functions performed, the data accessed, and the licence restrictions on use. Unauthorised copying of commercial software is both a security concern and a legal liability.
Intangible assets include intellectual property, trade secrets, patents, and the organisation's reputation. These are among the hardest to classify precisely because their value is difficult to quantify, but they are often the organisation's most valuable assets from a competitive perspective.
The asset inventory is the starting point for classification. An organisation cannot protect what it does not know it has. Asset discovery and inventory management are therefore prerequisites to effective classification.
Scenario: Who Is Responsible for Classifying Newly Created Data?
This scenario appears directly on the exam. An employee creates a new document containing the results of a security audit. Who is responsible for classifying it?
The answer is the data owner — the individual with business accountability for that data. In practice, this is the manager responsible for the security function, or the CISO, not the employee who created the document. The creating employee may be responsible for initially applying a classification label as a practical matter, but the accountability for correct classification rests with the data owner.
Distractors in this question type include the data custodian (who implements controls but does not classify) and the security administrator (who manages access but does not determine classification).
Exam Tip
Data owners classify. Custodians protect. Users consume. This distinction appears in multiple question types across Domains 2, 5, and 7. Whenever a question asks who makes a security policy decision about data, the answer is the owner. Whenever a question asks who implements a technical control, the answer is the custodian.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Asset Security
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.