When I am delivering workshops for AIP to my customers, I regularly get the question that if I have a baseline for Sensitivity labels. I always answer with the same, it depends on your needs and requirements, but with this post, I want to show you, how you can start your content classification.
First of all, you have to think about naming and description, at first glance could be quite obvius, but when your end users start working on those labels, and they have to read names and description, this information will help them a lot, so, choose wisely and think twice.
My recommendation here is to ensure the real purpose of the label and a reflection of the terminology that uses the company. Once you have this, half of your work is done, then what you need to do is to create a description, explaining the contents that reflect the classification.
So.. what levels of AIP I am creating? the 4 following:
The public classification label applies to information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without risk of harm. Any information that is produced for public consumption — such as news releases, job announcements, and sales brochures — are good examples.
The internal classification label applies to information that is used in business processes, and the unauthorized disclosure, modification or destruction of which is not expected to seriously affect the organization, customers, employees or business partners. Any information that is used in routine business matters — such as internal policy manuals and company phone lists — are good examples.
The confidential classification label applies to information that is used in sensitive business processes, the unauthorized disclosure, modification or destruction of which will adversely affect an organization, its customers, employees or business partners. Examples of sensitive information include intellectual property, contract negotiations, most personnel matters, personally identifiable information, protected health data, bank account numbers and payment card information of customers and employees.
The confidential classification label applies to information that is used in extremely sensitive information business processes, which the unauthorized disclosure, modification or destruction of would seriously harm the organization, its customers, employees or business partners. Examples for health organizations include medical records relating to mental health, sexually transmitted diseases… Examples for other organizations include documents used in mergers, strategic plans and litigation.