Domain 2 of 6 · Chapter 5 of 8

Data Classification

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • The classification chain: policy, mapping, labeling
  • Writing the policy: sensitivity tiers and their drivers
  • Mapping and labeling: making the class travel with the data
  • Exam-pattern recognition: classification questions

Where the classification decision and the label come from

DimensionClassification policyData mappingData labeling
What it producesThe categories and the criteria for eachAn inventory tying each data type to its locations and flowsA tag physically bound to each object
The question it answersWhat classes exist and how to decide oneWhere does each class live and where does it moveWhat class is this specific object
Driven byRegulation, contracts, and business impact of disclosureDiscovery output plus jurisdiction and residency rulesThe policy criteria applied to real content
Who/what actsData owners and governance set it onceSecurity and data teams maintain the mapUsers, admins, or automated tools per object
Downstream consumerEverything below depends on itRetention, residency, and risk reportingIRM, DLP, access control, and retention enforcement

Decision tree

Mixed data?take the highest class presentRegulated data?PHI / card / special-category PIIRestrictedContract / NDA bound?or basic PIIConfidentialHarm if disclosed?business impact onlyInternalPublicYesNoYesNoYesNo

Cheat sheet

  • Classification runs policy, then mapping, then labeling
  • Discovery finds the data; classification decides what it is
  • Classify by impact of disclosure, not by where the data is stored
  • The data owner sets the class; the custodian enforces the controls
  • Keep the scheme to three or four clearly-triggered tiers
  • Regulation, contract, and business impact each force a class, and the highest wins
  • Mixed data takes the highest class present, not the average
  • Derived data inherits the source class until it is provably de-identified
  • Data mapping ties each class to its locations and cross-border flows
  • In the cloud, mapping must include provider regions and sub-processors
  • Labels reach objects three ways: user, administrator, and automated
  • A label only protects data if it is persistently bound to the object
  • The label is the hand-off to IRM, DLP, access control, and retention
  • Cloud object tags and resource labels are the key controls match against
  • Automated classification scales to unstructured data that humans cannot label by hand
  • Use a standardized classification schema with consistent key-value tags for accurate reporting
  • Classification labels go stale, so build periodic review into operations

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://www.isc2.org/certifications/ccsp/ccsp-certification-exam-outline
  2. https://csrc.nist.gov/pubs/sp/800/60/v1/r1/final
  3. https://csrc.nist.gov/pubs/fips/199/final