Domain 2: Asset Security Module 13 of 84

Information and Asset Classification

CISSP Domain 2 — Asset Security A — Classification and Provisioning 10–12 minutes

What the Exam Is Really Testing

A database administrator asks you whether the customer mailing list should be encrypted at rest. Before you can answer that, you need to know something more fundamental: how is that data classified?

Classification is the decision that drives every other protection decision. Without it, you are guessing at controls.

This module covers CISSP exam objective 2.1: identify and classify information and assets. ISC2 does not want you to memorize classification labels. They want to see that you understand why classification exists, who is responsible for it, what criteria drive the decision, and what happens when classification changes over time.

Government Classification Schemes

Government classification is based on national security impact — how much damage would unauthorized disclosure cause?

  • Top Secret — Disclosure could cause exceptionally grave damage to national security. Access requires the highest level of clearance and a demonstrated need-to-know.
  • Secret — Disclosure could cause serious damage to national security. Most classified military and intelligence information falls here.
  • Confidential — Disclosure could cause damage to national security. This is the lowest classified level.
  • Unclassified — Not classified, but not necessarily public. Subcategories like Controlled Unclassified Information (CUI) and For Official Use Only (FOUO) restrict distribution without formal classification.

The exam expects you to know these levels in order and to recognize that the classification authority — the person who originally classifies the information — is the only one who can change it.

Commercial Classification Schemes

Private-sector organizations build their own schemes, but they typically follow a four-tier pattern:

  • Confidential (or Restricted) — The most sensitive commercial data. Exposure could cause significant financial loss, legal liability, or competitive damage. Trade secrets, M&A plans, and unreleased financial results live here.
  • Private (or Internal Only) — Data meant for internal use that would not cause severe harm if disclosed, but should not be shared externally. Employee directories, internal policies, and organizational charts are examples.
  • Sensitive — Information requiring some protection beyond normal handling. Customer contact information or non-public operational data falls in this tier.
  • Public — Information approved for external release. Marketing materials, published financial statements, and press releases.

Organizations are not required to use these exact labels. What matters for the exam is understanding the principle: classification tiers exist to match protection effort to information value.

Classification Criteria

When deciding how to classify a piece of information, four factors drive the decision:

  1. Value — What is this information worth to the organization? What would a competitor pay for it? Value is the most common classification driver in commercial settings.
  2. Sensitivity — What harm results from unauthorized disclosure? This applies to personal data, health records, and financial information where disclosure has direct consequences for individuals.
  3. Criticality — How important is this information to ongoing operations? Data that, if lost or corrupted, would halt business processes is classified higher for availability and integrity reasons.
  4. Legal requirements — Do regulations mandate specific protections? HIPAA, GDPR, PCI DSS, and similar frameworks may dictate minimum classification levels regardless of the organization’s own assessment.

On the exam, when a question asks what should determine the classification level, look for the answer that references the potential impact of disclosure or loss — not the technical format or storage location of the data.

Information Owner Responsibilities

The information owner (sometimes called the data owner) is a senior manager or executive who bears ultimate responsibility for a particular data set. This is not the person who manages the database or the one who uses the data daily. It is the business leader who can make risk decisions about that data.

The information owner’s responsibilities include:

  • Determining the classification level of the information
  • Defining who is authorized to access the information
  • Reviewing and approving access requests
  • Ensuring appropriate controls are in place (typically by delegating to a custodian)
  • Periodically reviewing the classification to confirm it is still appropriate
  • Authorizing declassification when conditions change

The exam draws a clear line between owner and custodian. The owner decides what protection the data needs. The custodian (typically IT operations) implements those protections. When a question asks who is responsible for classification, the answer is the owner — never the custodian, the user, or the security team.

Classification Procedures

Classification is not a one-time event. It follows a lifecycle:

  1. Identify the information asset — Catalog what data exists, where it resides, and in what formats.
  2. Assign an owner — Every data set needs a named individual accountable for its classification.
  3. Apply classification criteria — Evaluate value, sensitivity, criticality, and legal requirements.
  4. Label and mark — Apply classification labels to documents, files, media, and systems containing the data.
  5. Apply handling procedures — Match controls to the classification level (storage, transmission, access, destruction).
  6. Review periodically — Reclassify as business conditions, regulations, or threats change.

The most common governance failure is step 6 — organizations classify data once and never revisit the decision. Stale classifications lead to over-protection (wasting resources) or under-protection (accepting unrecognized risk).

Declassification

Information does not stay at the same classification level forever. Declassification reduces the classification level when the original justification no longer applies.

  • In government settings, declassification follows formal schedules. Executive Order 13526 sets automatic declassification at 10, 25, or 50 years depending on the category, unless an agency requests an exemption.
  • In commercial settings, declassification typically occurs when a product launches (making pre-release data no longer sensitive), a patent is published, or a legal hold expires.
  • Only the information owner or a designated authority can declassify. Users and custodians cannot decide on their own that data is no longer sensitive.

The exam may test declassification by presenting a scenario where someone other than the owner downgrades data. The correct answer is always that declassification requires owner authorization.

Pattern Recognition

Classification questions on the CISSP follow recognizable structures:

  • Who classifies? — The information owner. Not the custodian, not IT, not the security team.
  • What drives classification? — Impact of disclosure or loss. Not the file format, storage medium, or department.
  • Government vs. commercial — Government classification is about national security damage. Commercial classification is about business impact and legal obligations.
  • Over-classification vs. under-classification — Both are problems. Over-classification wastes resources and reduces productivity. Under-classification exposes the organization to unnecessary risk.

Trap Patterns

Watch for these on the exam:

  • “The IT department should classify the data” — IT is the custodian, not the owner. Classification is a business decision, not a technical one.
  • “Classify based on the storage system” — Classification follows the data, not the container. A Top Secret document on a USB drive is still Top Secret.
  • “All data should be classified at the highest level” — Over-classification is a governance failure. It increases costs and makes the classification system meaningless.
  • “Users can decide what level of protection they need” — Users handle data according to its classification; they do not set the classification.

Scenario Practice

Question 1

A financial services company is creating its data classification policy. The chief marketing officer asks whether the customer mailing list should be classified as “Public” since the names and addresses were collected from publicly available sources.

What is the BEST response?

A. Agree — since the source data is public, the compiled list is also public
B. Classify based on the aggregated value and applicable privacy regulations, not the original source
C. Let the IT department determine the classification based on where the data is stored
D. Classify it as the highest level to avoid any risk of exposure

Answer & reasoning

Correct: B

Data classification is based on value, sensitivity, criticality, and legal requirements — not on where the data originally came from. A compiled customer list has aggregated value (competitive intelligence) and may be subject to privacy regulations. The classification should reflect those factors.

Public source does not mean public classification (A). IT does not classify data (C). Blanket highest classification wastes resources (D).

Question 2

An organization’s data classification policy requires annual reviews. During a review, the information owner for the R&D database is unavailable due to a leave of absence. The database administrator offers to perform the review to stay on schedule.

What should the security team recommend?

A. Allow the database administrator to complete the review since they understand the data
B. Skip the review this year and resume when the owner returns
C. Have a designated alternate or the owner’s manager perform the review
D. Automatically renew the current classification for another year

Answer & reasoning

Correct: C

Classification reviews are the owner’s responsibility, but organizations should have succession plans for governance activities. A designated alternate or the owner’s management chain can perform the review. The database administrator is a custodian and cannot make classification decisions.

Skipping reviews (B) and automatic renewal (D) both bypass the governance requirement. The DBA (A) lacks the authority.

Question 3

A government agency is planning to release historical intelligence reports that are 30 years old. The reports were originally classified as Secret. An analyst recommends publishing them on the agency’s website after redacting names of living individuals.

Who must authorize this action?

A. The analyst who reviewed the documents
B. The agency’s public affairs officer
C. The original classification authority or a designated declassification authority
D. The agency’s chief information officer

Answer & reasoning

Correct: C

Declassification of government information requires the original classification authority (OCA) or a formally designated declassification authority. No one else — regardless of their role or seniority — can unilaterally declassify information. Redaction decisions must also be made within this authority chain.

Key Takeaway

Classification is not a technical exercise — it is a management decision. The information owner decides the level based on impact, not based on where data lives or what format it takes. Every protection control that follows (encryption, access restrictions, handling procedures, destruction methods) traces back to that one classification decision. If the classification is wrong, everything downstream is wrong too.

Related Modules

CISM Domain 3 — Information Security Program Information Asset Identification and Classification CRISC Domain 1 — Governance Organizational Assets
Next Module Module 14: Asset Handling Requirements