Data classification standard

The Data Classification Standard requires departments to categorize and label or mark data per classification levels and review classification of data on a regular basis.

Purpose and scope

This Data Classification Standard (Standard) is an implementing standard of the forthcoming Data Policy and Citywide Cybersecurity Policy.

The provisions of this Standard apply to the City and County of San Francisco (City) and its component departments, agencies, offices, commissions and other governmental units (departments). All employees and other data users (defined below) are responsible for adhering to this Standard.

This Standard does not alter public information access requirements. California Public Records Act or the San Francisco Sunshine Ordinance requests and other legal obligations may require disclosure or release of data from any classification.

Requirements

Departments must:

  1. Categorize and label or mark data per the classification levels in Table 2 below as part of the annual data inventory process set out in the Data Policy. Where a range of data classes are held within a single system, Departments should prioritize classifying the system (not individual datasets) according to the highest classification of data held within it. However, this should not hinder the security objective of “availability” as set out in Table 1 below.

  2. Review classification of data on a regular basis, but no less than annually as part of the annual data inventory process set out in the Data Policy.

  3. Review and modify the data classification as appropriate when the data is de-identified, combined or aggregated.

Departments should follow the guidelines below when using this Standard:

  1. Appendix A, which provides a step-by-step procedure for classifying data according to this data classification scheme.

  2. Appendix B, which provides examples of data in each classification level.

Once data is classified, Departments should refer to:

  1. The Citywide Cybersecurity Policy and its associated standards for the risk assessment framework and methodology to select appropriate security controls for the classes of data they collect and maintain.

  2. The Data Policy and its associated standards for data management and privacy principles that apply to the classes of data they collect and maintain.

 

Approved October 27, 2017

Documents

COIT Data Classification Standard - download full policy document