Who assigns Classification & Categorization to data?

cledford3cledford3 Member Posts: 66 ■■■□□□□□□□
I understand the difference between classification & categorization (see below) - but am wondering who does/assigns each? A couple of my study materials either mix these terms up, use them interchangeably, or don't understand them. Both terms seem (in the materials) to be attributed to the Data Owner - however, one resource will use the term "classification" and the next "categorization" but none mentions both.

Bonus for reference to appropriate NIST document or framework.



Classification = assign a label (confidential, sensitive, restricted) to data – think of “classified” information (top secret, etc)

Categorization = assign an IMPACT to the loss of CIA of the information (low, medium, high)


  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    I would start at looking at NIST SP 800 series...risk management framework....800-30, 37, 53, 53A, etc.

    I am not going to lie, if you want to truly understand it, things are going to get confusing and complex pretty quick without in-depth training. Basically, the owner assigns a classification based on how important the data is to an organization based on legal requirements, trade secrets, etc......then the data is categorized based on each category of the CIA triad. It’s important to note that classifications might be things like proprietary or most secret in non government organizations.

    Let’s use an example of a trade secret, using public, internal, secret. We would rate this as a secret classification. For categorization... Confidential we would use high, integrity high, availability maybe low or moderate. These three would help us pick specific controls based on 800-53.

    At this point you are probably confused so I would read the NIST documents but for most certifications, that’s probably more than enough context.

    Look at the below link at the security controls tab. You also have to determine the overall categorization for your systems...the highest level for C,I,A sets what you have to do for everything. So in our above example, our system would at least be High, High, Low so look in the Confidential High column, Integrity High, Availability Low....see what has an X and those would be implemented controls.

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    All I've read points to data owners. It also makes sense.
  • H-bombH-bomb Member Posts: 129 ■■■□□□□□□□
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Don't overthink this. A question like this is considered a freebie in many exams.
  • mattster79mattster79 Member Posts: 135 ■■□□□□□□□□
    cyberguypr wrote: »
    Don't overthink this. A question like this is considered a freebie in many exams.

    Can’t argue with that.
Sign In or Register to comment.