Data Classification & Destruction Policy

What's in this lesson: Explore the five core data classifications, special handling classes, and the lifecycle rules for secure storage, transmission, and destruction.
Why this matters: Inappropriate use of corporate systems exposes the company to risk. Protecting critical and confidential data ensures compliance and operational integrity.

Attention: The Abandoned Desk

You are walking through the office after hours and notice an untidy desk. Several documents have been left out in the open. Click the glowing dots to inspect the items and identify the risk level based on NESP policy.

Click a glowing dot on the desk to inspect the abandoned items.

The 5 Core Classifications

Data residing on corporate systems must be continually evaluated and classified. Click each card to reveal its policy definition.

Personal

Click to flip

User's personal data, emails, docs. Excluded from policy; no guidelines apply.

Public

Click to flip

Already-released marketing material or commonly known info. No requirements.

Operational

Click to flip

Basic business ops (non-confidential). The majority of data falls here.

Critical

Click to flip

Information vital to business ops. Extremely important for security/backups.

Confidential

Click to flip

Proprietary to the business. Strict handling guidelines apply.

Special Classes of Confidential Data

Within the "Confidential" tier, there are two special classes that require heightened security controls. Click the headers to expand and learn more.

Examples: Social Security numbers, driver's licenses, financial accounts (credit/debit cards).

Additional Requirements: Must be stored at rest and transmitted using strong encryption. Destruction requires secure technology and certificates of destruction must be maintained.

Examples: Customer log files, data covered by specific contracts.

Additional Requirements: Data and documents must be explicitly marked as such. They are subject to additional storage and destruction rules depending on the specific customer's requirements.

Knowledge Check 1

You receive an email containing a spreadsheet of employee Social Security numbers. How should this data be classified?

Data Lifecycle Rules Matrix

The policy outlines strict guidelines for how data is stored, transmitted, and ultimately destroyed. Select a tab to view the rules matrix.

Classification	Storage Rule
Operational	Stored where backup schedule is appropriate.
Critical	Stored on server with most frequent backups; redundancy encouraged.
Confidential	Removed from desks/screens; stored under lock & key.
PII	Stored at rest using strong encryption.

Classification	Transmission Rule
Operational	Should not be transmitted unless necessary for business purposes.
Confidential	Strong encryption required outside network. NEVER left on voicemail.
PII	Strong encryption required for outside transmission.

Classification	Destruction Rule
Operational/Critical	No strict requirements, though shredding is encouraged.
Confidential	Paper: Cross-cut shredding. Drives/Media: Data wiping minimum.
PII	Secure destruction technology; certificates must be maintained.

Knowledge Check 2

You need to dispose of printed Confidential business plans. What is the required method?

Key Takeaways

Classifications: Data must be classified as Personal, Public, Operational, Critical, or Confidential.
Special Protection: PII and Customer Confidential are special classes requiring encryption and specific compliance marking.
Physical Security: Confidential data must be secured under lock & key and removed from empty desks or locked screens.
Secure Destruction: To prevent recovery, use cross-cut shredding for paper and data wiping for media. PII requires destruction certificates.
Enforcement: Policy violations expose the company to risk and result in disciplinary action up to termination.

Ready for the Assessment?

You have reviewed the core concepts of the Data Classification and Destruction Policy.

There are 3 questions. You must score 100% to earn your certificate.

Click "Next" to begin.

Assessment Question 1

What is the primary storage requirement for general Confidential data?

Stored electronically with no backup limits Removed from desks/screens and stored under lock and key Stored only on mobile storage media to easily transport it Stored entirely on a public-facing web server

Assessment Question 2

How must Personal Identifiable Information (PII) be handled during destruction?

Deleted permanently from the Windows recycle bin Shredded using any available strip-cut paper shredder Destroyed using secure technology with certificates of destruction maintained Wiped only if it resides on a mobile device

Assessment Question 3

What is a special requirement for handling Customer Confidential data?

It must be stored alongside Operational data at all times It requires daily back-ups to an employee's personal drive It must be released publicly after the contract expires It must be explicitly marked as such and is subject to the customer's specific rules

Assessment Complete

Your Score: