www.lepide.

com /blog/what-is-a-data-classification-matrix/

What is a Data Classification Matrix?

⋮ 7/6/2023

Anna Szentgyorgyi-Siklosi | 6 min read| Updated On - July 10, 2023

A Data Classification Matrix is a tool that is used to organize and classify different types of data according
to their importance, sensitivity, and confidentiality. The matrix is a grid-like structure that categorizes data
into different levels based on their risk level and assigns corresponding security controls to each level.
Typically, data is classified into four categories: public, internal, confidential, and restricted. Each category
has a specific set of access controls, authentication requirements, and authorization restrictions. The
matrix helps organizations to manage and protect their sensitive data by applying appropriate security
measures based on the data’s classification level.

How to Create a Data Classification Matrix

There are numerous data classification matrix templates that you can use, and you will need to choose
one that precisely fulfils your requirements. The following is an example of a matrix that consists of four
classification levels: public, internal, confidential, and restricted.

Public Internal Confidential Restricted

Risk Level No risk Low Medium High

1/5
 Public Internal Confidential Restricted
Description Data that is freelyData that is Data that is Data that is highly
available and generated and strictly protected sensitive and should
accessible to the owned by an and only only be accessed by
general public. This
organization or its accessible to authorized
type of data can employees. This authorized personnel on a
include government may include sales individuals. This need-to-know basis.
publications, open figures, customer may include PII, It includes data that,
access research data, financial trade secrets, if compromised,
papers, census records, and other financial could cause
data, and other sensitive information, or significant harm to
freely available information that is any information an organization or
datasets. not intended for that could cause individuals.
public harm if
consumption. compromised.
Access Rights No restrictions or Limited access to Access only Highly sensitive
access controls, certain individuals granted to those data with strict
available to anyone. or groups within the with a legitimate access controls,
organization. need to know, available only to a
such as select few top-level
authorized employees or
employees or executives.
contractors.
Impact A breach of public The publication of In the event that The impact of this
data will not harm this data may this information data being revealed
individuals or the cause some falls into the to the public can be
organization. inconvenience. wrong hands, the devastating to the
consequences company and
may result in possibly its
losses that are customers.
not deemed
crucial to the
business.

2/5
 Public Internal Confidential Restricted
Examples Government Employee Financial Social
publications records data Security
and reports Financial data Medical Numbers
Census data Operational records (SSNs)
Land records data Legal Credit Card
and property Intellectual documents Information
deeds property Trade Passwords
Court records Research and secrets Classified
and judgments development Intellectual Government
Press releases HR-related property Information
and news data Military Medical
articles Marketing information Records
Company data Government Criminal
annual reports Legal secrets Records
Whitepapers documents Personal Financial
and research IT identifiable Statements
studies infrastructure information Trade Secrets
Social media and network Diplomatic Intellectual
posts and information cables Property
profiles that Administrative Classified Personal
are set to data research Identifiable
public data Information
Weather and (PII)
traffic data Confidential
Publicly Legal
available Documents
financial Proprietary
statements of Software
companies Code

Storage Can be stored on Can be stored on Should be stored Should be stored on

Options public servers or internal servers or on secure servers highly secure
cloud storage cloud storage or cloud storage servers or cloud
systems that can be systems that are systems that are storage systems
accessed by anyone accessible only to accessible only to that are accessible
with an internet employees within authorized only to a select few
connection. the organization. personnel with individuals with
appropriate specific security
security clearances and
clearances and strict access
credentials. controls.

3/5
 Public Internal Confidential Restricted
Additional No security In addition to In addition to Restricted data is
Security measures are access controls, access controls, protected by
Considerations required to access monitoring, logging,
data loss additional layers of
public data. and encryption, prevention security, including
However, it should should be software and multi-factor
be protected against implemented to encryption should authentication,
unauthorized protect internal be implemented encryption,
modification and data. to protect monitoring, and
deletion. For confidential data specialized access
example, backups from unauthorized controls. Data
and logs should be use, storage, should be stored on
maintained to modification, and a server with high-
provide data disclosure. level security and
integrity and restricted to a small
availability. group of senior
staff.
Audit Controls No audit controls It may be The task of The duty of data
required. necessary to monitoring and stewards involves
conduct some form evaluating the monitoring and
of monitoring or system for misuse evaluating the
review. is assigned to system for any
data stewards. possible instances
They must report of misuse or
any anomalous unauthorized entry.
activities to their To address any
superiors based issues promptly, a
on the severity of contingency plan
the incident. must be in place.

Data Classification Matrix Best Practices

Talk with Experts: Before creating a data classification matrix, it’s important to discuss with in-house data
experts or hire an agency to guide you to the correct framework for your data types.

Define your objectives: Defining a goal is crucial before creating a classification matrix. Each data type
should be mapped to the correct class, reducing the risk to sensitive information in the event of a security
breach.

Define the Scope: To effectively regulate data, it’s important to define the scope of the matrix. This
ensures that only the data you want to regulate is classified.

Assign Responsibilities: Assigning ownership to data makes it easier to classify. Defining ownership
becomes simpler once the scope of the matrix is established.

Assign Safety Grades: There are generally three to four safety grades based on the risk level of the
data. Companies can add more safety grades as needed, but it’s best to keep the classification matrix
simple.

Assign Safety Measures: Typically, three to four safety ratings are assigned based on the degree of
risk. Businesses may have additional ratings based on their specific needs. Nevertheless, it is advisable

4/5
to avoid overcomplicating the data classification system.

Keep Your Matrix Up-To-Date: Since data changes over time, its risk level can change as well. Therefore,
its safety grades and measures should be regularly reviewed and updated.

If you’d like to see how the Lepide Data Security Platform can help you discover and classify your
sensitive data, schedule a demo with one of our engineers or start your free trial today.

Anna Szentgyorgyi-Siklosi

Anna is an experienced Customer Success Manager with a demonstrated history of working in the SaaS
industry. She is currently working to ensure that Lepide customers achieve the highest level of customer
service.

5/5