Home › D2: Asset Security › Data Classification

Domain 2 · Lesson 1 of 5

Data Classification & Asset Inventory

Phân loại Dữ liệu & Kiểm kê Tài sản

Theory

Asset Types

An asset is anything of value to an organization. The six primary asset types are: information (data), software (applications, OS), hardware (servers, laptops), physical (facilities, cables), services (cloud, utilities), and people (skills, knowledge). All require classification and protection.

Government Classification Levels

Used in military and government contexts — from highest to lowest sensitivity:

Level	Description
Top Secret	Unauthorized disclosure could cause exceptionally grave damage to national security
Secret	Serious damage to national security
Confidential	Damage to national security
SBU (Sensitive but Unclassified)	Sensitive but not classified (e.g., For Official Use Only)
Unclassified	No expected damage; can be released publicly

Commercial Classification (FinTech Company X Context)

Level	Tiếng Việt	FinTech Company X Examples
Restricted	Tuyệt mật	Customer PII (CCCD, biometrics, credit scores), AML results
Confidential	Bí mật	Loan application data, credit decisions, partner API keys, signed PDFs
Internal	Nội bộ	Architecture docs, runbooks, internal APIs, deployment configs
Public	Công khai	Marketing content, public API docs, job postings

Classification Criteria

Sensitivity: What harm results if this data is disclosed without authorization?
Criticality: How important is this data to operational continuity?
Regulatory requirement: What law or standard governs this data? (Decree 13/2023, DPA 2012, PCI-DSS)

Asset Inventory & CMDB

"You can't protect what you haven't inventoried." A CMDB (Configuration Management Database) tracks all assets, their relationships, owners, and classifications. Asset inventory must be completed before classification can occur.

Classification process: Identify asset → Determine classification → Label → Apply controls → Review periodically

Over- vs Under-Classification

Over-classification: Wastes money — applies expensive controls to data that doesn't need them
Under-classification: Creates compliance risk and data breach exposure — insufficient controls for sensitive data

Key Terms

Data Classification — process of assigning sensitivity levels to data to determine required controls

Top Secret — highest government classification; exceptionally grave damage if disclosed

Restricted — highest commercial classification; most sensitive data (PII, biometrics)

Confidential — commercial level; sensitive business data needing protection

Internal — commercial level; internal-only, not for public disclosure

Public — lowest commercial level; approved for public release

CMDB — Configuration Management Database; tracks all assets and their properties

Asset Inventory — complete catalog of all organizational assets; prerequisite for classification

Sensitivity — measure of harm if data is disclosed without authorization

Criticality — measure of importance of data/asset to operational continuity

Exam Tips

Tip 1 — Classification Drives Controls Classification is the foundation of security. If you don't classify, you don't know which controls to apply. CISSP questions often present a scenario where lack of classification leads to security failures.

Tip 2 — Government vs Commercial Labels Government uses: Top Secret / Secret / Confidential / SBU / Unclassified. Commercial uses: Restricted / Confidential / Internal / Public. Don't confuse "Confidential" — it means different things in each schema. In government, Confidential is 3rd highest; in commercial, it's typically 2nd highest.

Tip 3 — Inventory Before Classification Asset inventory MUST come before classification. You cannot classify assets you haven't identified. CMDB is the tool for maintaining the inventory.

Tip 4 — Periodic Review Required Classification is not a one-time event. Data may become less sensitive over time (e.g., a product launch plan becomes Public after the launch). Policies should mandate periodic reclassification reviews.

Work Application — FinTech Company X

Action Item Create a data asset register for Platform C: list all data types (customer PII, credit scores, biometrics, card tokens, audit logs, configs), classify each using the commercial schema, assign Data Owner (CTO), Data Custodian (Hoa), and specify required controls per classification level.

Data Type	Classification	Key Control
Customer PII (CCCD, phone, address)	Restricted	AES-256-CTR (Platform C), Decree 13/2023 consent
Biometric data (eKYC Vendor)	Restricted	DPA with eKYC Vendor, separate encrypted store
Credit scores & AML results	Restricted	Need-to-know RBAC, audit trail
Loan application data	Confidential	Encrypted at rest & in transit, DPA/NDA with partners
Signed PDFs (GCS)	Confidential	GCS encryption, access-controlled bucket
Card tokens (no PAN)	Confidential	PCI-DSS tokenization; PAN never stored
Architecture docs & runbooks	Internal	Internal access only, Git repo controls
Audit logs	Confidential	Immutable log store, SIEM access controlled
Public API docs & marketing	Public	Standard web controls, no sensitive data

Practice Questions

Q1. In the Platform C platform, customer biometric data (facial recognition via eKYC Vendor) should be classified at which commercial level?

A) Public B) Internal C) Confidential D) Restricted

✓ D) Restricted

Biometric data is among the most sensitive personal data — disclosure can cause irreversible harm (unlike passwords, biometrics cannot be changed). Under Decree 13/2023 (VN) and DPA 2012 (PH), biometric data receives the highest protection classification. It must be stored under a separate DPA with eKYC Vendor and encrypted with the strongest available controls.

Q2. Which classification error creates the greatest compliance and breach risk?

A) Over-classification B) Under-classification C) Mis-labeling D) Late classification

✓ B) Under-classification

Under-classification assigns weaker controls than the data actually needs, leaving sensitive data insufficiently protected. This creates compliance violations (Decree 13/2023, DPA 2012, PCI-DSS) and increases breach risk. Over-classification wastes resources but doesn't create security exposure.

Q3. A government employee asks: which classification level sits BETWEEN Secret and SBU? (Government schema)

A) Top Secret B) Confidential C) Internal D) Restricted

✓ B) Confidential

Government levels from highest to lowest: Top Secret → Secret → Confidential → SBU → Unclassified. "Confidential" in the government schema is the 3rd tier. Note: in commercial schemas, "Restricted" often replaces the top tier, and "Confidential" is 2nd highest — context matters!

Q4. What is the primary purpose of a Configuration Management Database (CMDB) in the context of data classification?

A) Store encrypted data B) Track assets, owners, and classification C) Monitor network traffic D) Automate patch management

✓ B) Track assets, owners, and classification

A CMDB is the authoritative inventory of all organizational assets — hardware, software, data, and services. It records each asset's classification, data owner, custodian, and required controls. Without a CMDB, you cannot systematically protect assets because you don't know what exists.

Q5. Before classifying data, what must an organization complete first?

A) Implement encryption B) Define access control policies C) Complete asset inventory D) Train all employees

✓ C) Complete asset inventory

You cannot classify what you don't know exists. Asset inventory (ideally in a CMDB) must be completed before classification can begin. The correct sequence is: Identify all assets → Classify each → Label → Apply controls → Review. Training and encryption are important but come after classification is established.

← D2: Asset Security 02 Data Ownership Roles →