Skip main navigation

Information Classification


As part of an organization’s approach to preparing and maintaining an effective information security posture, it is necessary to determine which information needs to be protected and the level of that protection. Once this determination is made, the information can be appropriately classified.

The key to the classification process is the realization that not all information stored by the organization is sensitive. For example, how an organization treats the security of information related to the company picnic should differ substantially from how the organization treats the security of information related to the company’s finances. Classification of information determines which controls will be implemented when it comes to addressing the pillars of the CIA Triad or any other information security framework.

Organizations are increasingly able to use machine learning technologies to automatically classify and protect information. For example, products such as Azure Information Protection allow for the automatic classification and protection of data based on the evolving properties of that data. If Azure Information Protection is implemented and if a user types a credit card number into an Excel spreadsheet, the number is recognized as a credit card number, an appropriate classification is determined by the Azure Information Protection Agent, and an information protection template will automatically be applied.

While it is possible to manually classify information, automatic information classification mechanisms, especially those that utilize machine learning, have the advantage of being more consistent. It’s also possible to automatically reclassify information should a systematic classification error be uncovered, a task that would be as laborious and potentially error-prone as manually classifying information.

One of the keys to successfully implementing an information classification schema is to keep the classification rules relatively simple and to seek feedback from stakeholders within the organization who are deeply familiar with the properties of the information being classified. A simple classification scheme is more readily understood. Classification categories can often easily be extended if the existing schema is found to be too simplistic. Classification schemes should also be tested with small groups before being used more widely within the organization.

Once information is appropriately classified, organizations can then apply security controls to that information based on the classification. For example, information that is labeled “unclassified” has few security controls applied, and information labeled “legally sensitive” has stricter security controls applied.

This article is from the free online

Microsoft Future Ready: Fundamentals of Enterprise Security

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now