Well-Architected Framework:Data classification, grading, and identification

Define data classification and grading methods

Organizations can reference the following methods to define their data classification and grading strategy:

• Define a framework based on existing industry classification and grading standards.

  • Adopt and adapt industry standards, such as those for the finance, securities, or telecommunications sectors, to fit your specific business needs.

  • Alternatively, classify data using a data asset catalog or a custom framework based on categories like customer, company, or business information.

  • Work with professional data security consultants to establish classification and grading standards based on your business data and legal requirements.

• Develop a classification and grading framework by consulting with data security experts.

  • Work with data security consultants to build a framework based on national, industry, and regional laws and regulations, based on a thorough analysis of your organizational structure and business data.

  • Coordinate with your organization's business, legal, and IT departments to finalize the classification and grading framework and standards.

Data identification in a cloud environment

Regulations divide data into personal data and important data. Personal data is then categorized as either sensitive or non-sensitive.

1. For the criteria for identifying sensitive personal data, refer to the definitions in the Chinese national standard GB/T 35273-2020 Information Security Technology-Personal Information Security Specification.

2. For the identification criteria of non-sensitive personal data, also refer to the definitions in the same standard.

3. Organizations typically define important data based on their operational, business, and employee data.

In a cloud environment, organizations store data in services like Object Storage Service (OSS), Relational Database Service (RDS), Elastic Compute Service (ECS) disks, and big data platforms. The main challenges in data identification are data decentralization and its storage in various formats. Another challenge is the lack of uniform standards and specifications for data identification.

We recommend the following steps for data identification in a cloud environment:

1. Map your organization's data storage methods and paths. Consolidate or centralize data storage paths where possible.

2. Prioritize identifying personal and sensitive personal information. These categories have standardized definitions and are closely tied to data security regulations.

3. Define what constitutes your organization's important data and create data identification templates for it.

4. Implement automated identification methods, such as establishing automated classification templates, scanning tools, and reports.

Establish protection measures for graded data

Establishing protection measures for graded data helps you systematically build data security capabilities. Data security is a discipline that requires continuous improvement and evolution. A tiered protection framework lets you flexibly adjust security controls based on your organization's data protection management requirements.

Information is often divided into the following three types:

• Customer Information (C): customer name, phone number, hobbies, address.

• Business Information (S): new product designs, material information, supply chain data, brand packaging, pricing strategies, SKU planning, and internal or external promotional information.

• Company Information (B): orders, HR data, revenue, and accounts receivable.

Use the following four levels of classification for information protection: