Define data classification schemes as a formal access control methodology used to assign a level of confidentiality to an information asset, restricting the number of people who can access it.
Point out examples of data classification categories: confidential, internal, and public. Mention that any classification method must be specific enough to enable determination of priority levels.
Discuss data classification and management.
Corporate and military organizations use a variety of data classification schemes.
The typical information classification scheme has three categories:
Confidential: Used for corporate information that must be tightly controlled, even within the company. Access to this information is strictly on a need-to-know basis or as required by the terms of a contract.

Internal: Used for internal information that does not meet the criteria for the confidential category. It is to be viewed only by corporate employees, authorized contractors, and other third parties.
External: This includes all information that has been approved by management for public release.
Many developments in data communications and information security are the result of government-sponsored research. For most information, the government uses a three level classification scheme: Confidential, Secret, and Top Secret.
Federal agencies such as the FBI and CIA also use specialty classification schemes, like Need-to-Know and Named Projects.
Most organizations do not need the detailed level of classification used by the military or federal agencies.
Describe security clearances.
The other side of the data classification scheme is the personnel security clearance structure. For each user of data in the organization, a single level of authorization must be assigned that indicates the level of classification he or she is authorized to view.
Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know standard. This extra level of protection ensures that the confidentiality of information is properly maintained.
Discuss the management of classified data.
Management of classified data includes its storage, distribution, transportation, and destruction.
Information that is not unclassified or public must be clearly marked as such. Use Figure 5-5 in your explanation.
When classified data is stored, it must be available only to authorized individuals.
When an individual carries classified information, it should be transported via inconspicuous means, such as in a locked briefcase or portfolio.

The clean desk policy requires employees to secure all information in appropriate storage containers at the end of each day.
When copies of classified information are no longer valuable or excessive copies exist, proper care should be taken to destroy them by means of shredding, burning, or transferring to an authorized document destruction service.
It is important to enforce policies to ensure that no classified information is disposed of in trash or recycling areas since some individuals would not hesitate to engage in dumpster diving to retrieve information that could embarrass an organization or compromise information security.