Data Classification

Visual Labeling

┌─────────────────────────────────────────┐
│ █ PUBLIC                                │  Green
├─────────────────────────────────────────┤
│ █ INTERNAL - For Internal Use Only     │  Blue
├─────────────────────────────────────────┤
│ █ CONFIDENTIAL - Authorized Only       │  Yellow
├─────────────────────────────────────────┤
│ █ RESTRICTED - Need-to-Know Only       │  Orange
├─────────────────────────────────────────┤
│ █ TOP SECRET - Strictly Controlled     │  Red
└─────────────────────────────────────────┘

Handling Requirements Matrix

By Classification Level

Data Flow Controls

Restricted Data Flow:
┌──────────────┐     Encrypted      ┌──────────────┐
│   Source     │ ───────────────▶  │ Destination  │
│   System     │                    │   System     │
└──────────────┘                    └──────────────┘
       │                                   │
       ▼                                   ▼
   Audit Log                           Audit Log
       │                                   │
       ▼                                   ▼
  ┌────────────────────────────────────────────┐
  │              SIEM / Monitoring              │
  └────────────────────────────────────────────┘

Classification Implementation

.NET Data Annotation Approach

// Classification attributes
[AttributeUsage(AttributeTargets.Property | AttributeTargets.Class)]
public class DataClassificationAttribute : Attribute
{
    public DataClassification Level { get; }
    public string? DataCategory { get; set; }
    public string? RetentionPolicy { get; set; }
    public string[] RequiredRoles { get; set; } = Array.Empty<string>();

    public DataClassificationAttribute(DataClassification level)
    {
        Level = level;
    }
}

public enum DataClassification
{
    Public = 0,
    Internal = 1,
    Confidential = 2,
    Restricted = 3,
    TopSecret = 4
}

// Usage on domain models
public class Customer
{
    public Guid Id { get; set; }

    [DataClassification(DataClassification.Internal)]
    public string Name { get; set; } = string.Empty;

    [DataClassification(DataClassification.Restricted,
        DataCategory = "PII",
        RequiredRoles = new[] { "CustomerAdmin", "Support" })]
    public string Email { get; set; } = string.Empty;

    [DataClassification(DataClassification.Restricted,
        DataCategory = "PII",
        RetentionPolicy = "7years")]
    public string SocialSecurityNumber { get; set; } = string.Empty;

    [DataClassification(DataClassification.Confidential,
        DataCategory = "Financial")]
    public decimal CreditLimit { get; set; }
}

Classification-Based Access Control

public class ClassificationAuthorizationHandler
    : AuthorizationHandler<DataAccessRequirement, object>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        DataAccessRequirement requirement,
        object resource)
    {
        var classificationAttr = resource.GetType()
            .GetCustomAttribute<DataClassificationAttribute>();

        if (classificationAttr == null)
        {
            context.Succeed(requirement);
            return Task.CompletedTask;
        }

        var userClearance = GetUserClearanceLevel(context.User);

        // User clearance must meet or exceed data classification
        if ((int)userClearance >= (int)classificationAttr.Level)
        {
            // Check role requirements if specified
            if (classificationAttr.RequiredRoles.Length > 0)
            {
                var hasRequiredRole = classificationAttr.RequiredRoles
                    .Any(r => context.User.IsInRole(r));

                if (hasRequiredRole)
                {
                    context.Succeed(requirement);
                }
            }
            else
            {
                context.Succeed(requirement);
            }
        }

        return Task.CompletedTask;
    }
}

Field-Level Encryption

public class ClassificationBasedEncryption
{
    private readonly IEncryptionService _encryptionService;

    public async Task<T> ProtectData<T>(T data, CancellationToken ct) where T : class
    {
        var properties = typeof(T).GetProperties()
            .Where(p => p.GetCustomAttribute<DataClassificationAttribute>() != null);

        foreach (var prop in properties)
        {
            var attr = prop.GetCustomAttribute<DataClassificationAttribute>()!;

            if (attr.Level >= DataClassification.Confidential)
            {
                var value = prop.GetValue(data) as string;
                if (!string.IsNullOrEmpty(value))
                {
                    var encrypted = await _encryptionService.Encrypt(value, ct);
                    prop.SetValue(data, encrypted);
                }
            }
        }

        return data;
    }
}

Data Discovery and Inventory

Automated Classification

public class DataDiscoveryService
{
    private readonly IRegexPatternMatcher _patternMatcher;

    public ClassificationSuggestion AnalyzeContent(string content)
    {
        var detections = new List<DataTypeDetection>();

        // Check for PII patterns
        if (_patternMatcher.ContainsPattern(content, PiiPatterns.SocialSecurityNumber))
            detections.Add(new DataTypeDetection("SSN", DataClassification.Restricted));

        if (_patternMatcher.ContainsPattern(content, PiiPatterns.CreditCard))
            detections.Add(new DataTypeDetection("Credit Card", DataClassification.Restricted));

        if (_patternMatcher.ContainsPattern(content, PiiPatterns.Email))
            detections.Add(new DataTypeDetection("Email", DataClassification.Confidential));

        if (_patternMatcher.ContainsPattern(content, PiiPatterns.PhoneNumber))
            detections.Add(new DataTypeDetection("Phone", DataClassification.Confidential));

        // Check for financial patterns
        if (_patternMatcher.ContainsPattern(content, FinancialPatterns.BankAccount))
            detections.Add(new DataTypeDetection("Bank Account", DataClassification.Restricted));

        // Determine highest classification
        var suggestedLevel = detections.Any()
            ? detections.Max(d => d.Classification)
            : DataClassification.Internal;

        return new ClassificationSuggestion
        {
            SuggestedLevel = suggestedLevel,
            Detections = detections,
            Confidence = CalculateConfidence(detections)
        };
    }
}

public static class PiiPatterns
{
    public static readonly string SocialSecurityNumber = @"\b\d{3}-\d{2}-\d{4}\b";
    public static readonly string CreditCard = @"\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b";
    public static readonly string Email = @"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b";
    public static readonly string PhoneNumber = @"\b\d{3}[-.]?\d{3}[-.]?\d{4}\b";
}

Data Inventory Template

Data Inventory Entry:
  asset_id: DATA-001
  name: Customer Database
  description: Master customer records
  owner: Customer Service Department
  custodian: IT Operations
  location:
    - Azure SQL Database (prod-sql-001)
    - Daily backup to Azure Blob Storage
  data_categories:
    - PII (names, emails, addresses)
    - Financial (payment history, credit limits)
    - Behavioral (purchase history)
  classification: Restricted
  volume: ~2M records
  sensitivity_reason: Contains PII and financial data
  regulatory_requirements:
    - GDPR (EU customers)
    - CCPA (California customers)
  retention:
    active: Duration of customer relationship
    archived: 7 years after relationship ends
  access:
    roles:
      - CustomerAdmin (full access)
      - Support (read-only)
      - Analytics (anonymized only)
    mfa_required: true
    vpn_required: true
  encryption:
    at_rest: AES-256 (Transparent Data Encryption)
    in_transit: TLS 1.3
  backup:
    frequency: Daily
    retention: 30 days
    tested: Monthly
  last_review: 2025-01-15
  next_review: 2025-07-15

Data Lifecycle Management

Lifecycle Stages

┌─────────┐    ┌─────────┐    ┌─────────┐    ┌─────────┐    ┌─────────┐
│ Create  │───▶│  Store  │───▶│   Use   │───▶│ Archive │───▶│ Destroy │
└─────────┘    └─────────┘    └─────────┘    └─────────┘    └─────────┘
     │              │              │              │              │
     ▼              ▼              ▼              ▼              ▼
 Classify      Encrypt       Monitor        Restrict       Certify
   Label       Access Ctrl   Audit Log      Read-only      Disposal

Retention Policy Implementation

public class DataRetentionService
{
    private readonly IRetentionPolicyProvider _policies;
    private readonly IAuditLogger _auditLogger;

    public async Task ApplyRetentionPolicies(CancellationToken ct)
    {
        var policies = await _policies.GetActivePolicies(ct);

        foreach (var policy in policies)
        {
            var expiredData = await FindExpiredData(policy, ct);

            foreach (var item in expiredData)
            {
                switch (policy.Action)
                {
                    case RetentionAction.Archive:
                        await ArchiveData(item, policy, ct);
                        break;

                    case RetentionAction.Anonymize:
                        await AnonymizeData(item, policy, ct);
                        break;

                    case RetentionAction.Delete:
                        await SecureDelete(item, policy, ct);
                        break;
                }

                await _auditLogger.LogRetentionAction(item, policy, ct);
            }
        }
    }

    private async Task SecureDelete(DataItem item, RetentionPolicy policy, CancellationToken ct)
    {
        var classification = item.Classification;

        switch (classification)
        {
            case DataClassification.Public:
            case DataClassification.Internal:
                // Standard deletion
                await _repository.Delete(item.Id, ct);
                break;

            case DataClassification.Confidential:
                // Secure deletion with verification
                await _repository.SecureDelete(item.Id, ct);
                await VerifyDeletion(item.Id, ct);
                break;

            case DataClassification.Restricted:
            case DataClassification.TopSecret:
                // Cryptographic erasure + verification
                await _encryptionService.DestroyKey(item.EncryptionKeyId, ct);
                await _repository.SecureDelete(item.Id, ct);
                await VerifyDeletion(item.Id, ct);
                await GenerateDeletionCertificate(item, ct);
                break;
        }
    }
}

Disposal Certification

public class DisposalCertificate
{
    public required Guid CertificateId { get; init; }
    public required DateTimeOffset DisposalDate { get; init; }
    public required string DataDescription { get; init; }
    public required DataClassification Classification { get; init; }
    public required string DisposalMethod { get; init; }
    public required string PerformedBy { get; init; }
    public required string WitnessedBy { get; init; }
    public required string VerificationMethod { get; init; }
    public required bool VerificationPassed { get; init; }
    public string? Notes { get; init; }
}

Labeling and Tagging

Document Labeling

public class DocumentLabeler
{
    public async Task<LabeledDocument> ApplyLabel(
        Document document,
        DataClassification classification,
        CancellationToken ct)
    {
        var label = new ClassificationLabel
        {
            Level = classification,
            AppliedAt = DateTimeOffset.UtcNow,
            AppliedBy = _currentUser.Id,
            ExpiresAt = classification >= DataClassification.Confidential
                ? DateTimeOffset.UtcNow.AddYears(1)  // Require re-classification
                : null
        };

        // Add visual header/footer
        if (document.Type == DocumentType.Word || document.Type == DocumentType.PDF)
        {
            await AddVisualLabel(document, label, ct);
        }

        // Add metadata
        document.Metadata["classification"] = classification.ToString();
        document.Metadata["classification_date"] = label.AppliedAt.ToString("O");
        document.Metadata["classification_by"] = label.AppliedBy;

        // Apply protection
        if (classification >= DataClassification.Confidential)
        {
            await ApplyProtection(document, classification, ct);
        }

        return new LabeledDocument
        {
            Document = document,
            Label = label
        };
    }
}

Classification Policy Template

# Data Classification Policy

## 1. Purpose
Establish consistent data handling based on sensitivity.

## 2. Scope
All data created, collected, stored, or processed by [Organization].

## 3. Classification Levels

### 3.1 Public
Data intended for public disclosure.
- **Examples**: Marketing materials, press releases
- **Handling**: No special requirements

### 3.2 Internal
General business information.
- **Examples**: Policies, procedures, org charts
- **Handling**: Access limited to employees

### 3.3 Confidential
Business-sensitive information.
- **Examples**: Financial reports, contracts, strategies
- **Handling**: Need-to-know access, encryption required

### 3.4 Restricted
Highly sensitive, regulated data.
- **Examples**: PII, PHI, payment card data
- **Handling**: Strict access control, MFA, encryption, audit logging

## 4. Roles and Responsibilities

### Data Owner
- Assign classification level
- Approve access requests
- Review classification annually

### Data Custodian
- Implement technical controls
- Manage access permissions
- Monitor for violations

### All Employees
- Handle data per classification
- Report misclassification
- Protect sensitive data

## 5. Handling Requirements
[See matrix above]

## 6. Non-Compliance
Violations subject to disciplinary action.

## 7. Review
Policy reviewed annually.

Classification Checklist

Implementation

• Define classification levels
• Create handling requirements matrix
• Identify data owners
• Conduct data inventory
• Apply classifications to existing data
• Implement technical controls
• Train employees

Ongoing

• Annual classification review
• New data assessment
• Access review
• Control effectiveness testing
• Policy updates

Cross-References

• GDPR: gdpr-compliance for personal data
• HIPAA: hipaa-compliance for health data
• Security: security-frameworks for controls

Resources

• NIST SP 800-60
• ISO 27001 Annex A.8.2