ForgeAwareness
Get started
Data Classification & Handling/Course player
0 of 7 complete0%
Module 14 min

Why this matters (and isn't a 40-page policy)

TL;DR

Data classification gets a bad reputation as a paperwork exercise. The reality is simpler: four buckets, knowing which bucket your data is in, and where each bucket is allowed to go. That's the whole thing.

The honest premise

Data classification exists because:

  • Not all data carries the same risk. Losing a public marketing brochure is fine. Losing 100,000 customer SSNs is a reportable breach with regulatory penalties.
  • Different controls cost different amounts. Encrypting everything strongly is expensive and slow. You want strong controls on data that needs them and lighter controls on data that doesn't.
  • Regulators care. PCI, HIPAA, GDPR, CCPA, and dozens of state laws each have specific definitions of "sensitive data" with specific handling requirements.

Most companies' classification policies are too long. The useful version fits on one page.

The four buckets

We use four levels:

1. Public

  • Marketing pages, job descriptions, press releases, public docs
  • Sharable anywhere — that's literally what "public" means

2. Internal

  • Team plans, meeting notes, internal Slack/Teams, project documents that aren't customer-facing
  • Shareable with employees and approved partners under NDA
  • The "default" for most work artifacts

3. Confidential

  • Customer data, employee data, financials, strategic plans, source code
  • Shareable only with people who need it for their job (need-to-know)
  • Most of the data that matters lives here

4. Restricted

  • Passwords, payment card numbers, social security numbers, health records, government-restricted data, attorney-privileged material
  • Almost no one should have it; if you do, treat it like uranium
  • Tightly logged, often legally regulated

How to think about it

When you're about to share something, ask:

  1. What's the most-sensitive item in here? (One restricted item makes the whole document restricted)
  2. Who needs to see this for their job?
  3. Is the destination approved for that level?

If you can answer those three, you're 90% of the way to making good decisions.

Why "we don't have classification" is a lie

Many companies say "we don't really do data classification." What they mean is "we don't have a formal policy." What's actually true is every employee implicitly classifies data all day by deciding what to share with whom on what tool. The choice is whether that's intentional and consistent, or accidental and inconsistent.

This course makes it intentional.

Knowledge check

Knowledge check 1

A document contains a project plan (Internal level) and a single customer's social security number (Restricted level). What is the document's classification?