| name | data-classification |
| description | Data classification levels (Public, Internal, Confidential, Restricted) and handling requirements per Hack23 Data Classification Policy |
| license | Apache-2.0 |
Data Classification Skill
Purpose
This skill implements data classification requirements as defined in the Hack23 ISMS Data Classification Policy. It ensures that all data is properly classified and handled according to its sensitivity level.
Rules
Classification Levels
Hack23 uses four classification levels:
- PUBLIC - Information intended for public disclosure
- INTERNAL - Information for internal use only
- CONFIDENTIAL - Sensitive information requiring protection
- RESTRICTED - Highly sensitive information requiring maximum protection
PUBLIC Data
Definition: Information that can be freely disclosed to the public without harm to Hack23, customers, or partners.
Examples:
- Published website content
- Marketing materials
- Press releases
- Open-source code in public repositories
- Public ISMS policies
- Public API documentation
- Blog posts
- Product brochures
MUST:
- Mark as "PUBLIC" in metadata/headers
- Allow unrestricted access
- Can be stored on public cloud services
- Can be transmitted unencrypted (though HTTPS is still recommended)
- Apply standard backup procedures
- Review before publication to ensure no unintended disclosure
MUST NOT:
- Include any Internal, Confidential, or Restricted information
- Include information that could aid attackers (detailed security configurations, vulnerability details)
INTERNAL Data
Definition: Information for use within Hack23 that should not be publicly disclosed but is not highly sensitive.
Examples:
- Internal documentation
- Meeting notes
- Project plans
- Employee directories
- Internal policies
- Development roadmaps
- Non-confidential customer communications
- Internal training materials
MUST:
- Mark as "INTERNAL" in metadata/headers
- Require authentication to access
- Store on approved internal systems or cloud services with access controls
- Transmit over encrypted channels (TLS 1.2+)
- Include in regular backup procedures
- Remove access when employees leave
- Apply retention policies
MUST NOT:
- Share with external parties without approval
- Store on personal devices without encryption
- Transmit over unencrypted channels
- Post on public websites or forums
CONFIDENTIAL Data
Definition: Sensitive information that could cause significant harm if disclosed.
Examples:
- Customer personal data (PII)
- Financial records
- Contracts and agreements
- Strategic plans
- Security assessment reports
- Non-public vulnerability information
- Source code for proprietary systems
- Audit reports
- Legal documents
- HR records (non-sensitive)
MUST:
- Mark as "CONFIDENTIAL" in metadata/headers
- Require strong authentication (MFA recommended)
- Implement role-based access control
- Encrypt at rest (AES-256)
- Encrypt in transit (TLS 1.2+)
- Log all access
- Store only on approved systems with encryption
- Apply strict retention and disposal policies
- Require NDA before sharing with external parties
- Conduct access reviews quarterly
- Remove access immediately when no longer needed
MUST NOT:
- Share via unsecured channels (email without encryption, chat without E2E encryption)
- Store on personal devices without full disk encryption and MDM
- Include in logs or error messages
- Share on public cloud services without encryption
- Copy to removable media without encryption and approval
RESTRICTED Data
Definition: Highly sensitive information that could cause severe harm if disclosed.
Examples:
- Passwords, encryption keys, API secrets
- Authentication credentials
- Personal health information (PHI)
- Financial account credentials
- Credit card data (PAN, CVV)
- National ID numbers (SSN, passport numbers)
- Biometric data
- Cryptographic private keys
- Security vulnerability details (before patching)
MUST:
- Mark as "RESTRICTED" in metadata/headers
- Require MFA for all access
- Implement strict role-based access control with separation of duties
- Encrypt at rest with AES-256
- Encrypt in transit with TLS 1.2+
- Log and monitor all access with alerts
- Store in dedicated secure systems (key management systems for secrets)
- Apply immediate retention (delete when no longer needed)
- Require explicit approval for each access
- Conduct access reviews monthly
- Use secret management systems (never hardcode)
- Implement automated rotation where possible
- Revoke access immediately when no longer needed
MUST NOT:
- Store in plaintext
- Include in source code, configuration files, or version control
- Include in logs, error messages, or debug output
- Transmit via email, chat, or unsecured channels
- Store on personal devices
- Copy to removable media
- Share screenshots or copies
- Display on screen in public areas
- Print unless absolutely necessary (and securely destroy after use)
Data Handling Matrix
| Requirement | PUBLIC | INTERNAL | CONFIDENTIAL | RESTRICTED |
|---|
| Authentication | Not required | Required | Required | MFA required |
| Access Control | Open | RBAC | Strict RBAC | Strict RBAC + approval |
| Encryption at Rest | Optional | Recommended | Required (AES-256) | Required (AES-256) |
| Encryption in Transit | Recommended | Required (TLS 1.2+) | Required (TLS 1.2+) | Required (TLS 1.2+) |
| Access Logging | Optional | Recommended | Required | Required + monitoring |
| Access Review | N/A | Annually | Quarterly | Monthly |
| Backup | Standard | Standard | Encrypted backup | Encrypted backup |
| Retention | As needed | Per policy | Strict policy | Immediate deletion |
| External Sharing | Allowed | With approval | NDA required | Prohibited |
Classification Guidelines
MUST:
- Classify all data at creation
- Apply the highest classification if multiple types are present
- Document classification decisions
- Review classification periodically (annually minimum)
- Train employees on classification
- Mark documents/files with classification labels
- Handle data according to its classification throughout its lifecycle
MUST NOT:
- Downgrade classification without approval
- Mix classifications in single document/database
- Ignore classification in automated systems
Storage Requirements
PUBLIC:
INTERNAL:
- Approved internal file shares
- Cloud storage with authentication
- Internal databases
CONFIDENTIAL:
- Encrypted cloud storage (approved providers)
- Encrypted databases
- Encrypted file systems
- Encrypted backups
RESTRICTED:
- Dedicated secure storage systems
- Key management systems (for secrets)
- HSM (for cryptographic keys)
- Encrypted backups in secure locations
Transmission Requirements
PUBLIC:
- Any method (HTTPS recommended)
INTERNAL:
- TLS 1.2+ for network transmission
- Authenticated email
- VPN for remote access
CONFIDENTIAL:
- TLS 1.2+ mandatory
- Encrypted email (S/MIME or PGP)
- Secure file transfer (SFTP, HTTPS)
- VPN for remote access
RESTRICTED:
- TLS 1.2+ mandatory
- End-to-end encrypted channels
- Out-of-band key exchange
- Never via standard email
Disposal Requirements
PUBLIC:
INTERNAL:
- Secure deletion (overwrite)
- Shred physical documents
CONFIDENTIAL:
- Secure deletion with verification
- Multiple overwrites
- Cross-cut shred physical documents
- Degauss magnetic media
RESTRICTED:
- Cryptographic erasure
- Physical destruction of media
- Certificate of destruction
- Immediate deletion from all locations
Examples
Example 1: Data Classification Headers (HTML)
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="classification" content="PUBLIC">
<title>Hack23 - Cybersecurity Consulting</title>
</head>
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="classification" content="INTERNAL">
<meta name="robots" content="noindex, nofollow">
<title>Internal Project Documentation</title>
</head>
Example 2: Database Field Classification
const userSchema = new mongoose.Schema({
username: {
type: String,
classification: 'PUBLIC',
required: true
},
email: {
type: String,
classification: 'INTERNAL',
required: true
},
firstName: {
type: String,
classification: 'CONFIDENTIAL',
required: true
},
lastName: {
type: String,
classification: 'CONFIDENTIAL',
required: true
},
dateOfBirth: {
type: Date,
classification: 'CONFIDENTIAL'
},
passwordHash: {
type: String,
classification: 'RESTRICTED',
required: true,
select: false
},
ssn: {
type: String,
classification: 'RESTRICTED',
select: false,
get: (value) => decrypt(value),
set: (value) => encrypt(value)
}
});
Example 3: Logging with Classification
const winston = require('winston');
const logger = winston.createLogger({
format: winston.format.combine(
winston.format.timestamp(),
winston.format.json()
),
transports: [
new winston.transports.File({ filename: 'application.log' })
]
});
function logSafely(level, message, metadata = {}) {
const safeMetadata = {};
for (const [key, value] of Object.entries(metadata)) {
const classification = value?.classification || 'INTERNAL';
if (classification === 'RESTRICTED') {
safeMetadata[key] = '[RESTRICTED - REDACTED]';
}
else if (classification === 'CONFIDENTIAL') {
safeMetadata[key] = maskConfidential(value);
}
else {
safeMetadata[key] = value;
}
}
logger.log(level, message, safeMetadata);
}
function maskConfidential(value) {
if (typeof value === 'string' && value.length > 4) {
return value.substring(0, 2) + '***' + value.substring(value.length - 2);
}
return '***';
}
logSafely('info', 'User login', {
username: { value: 'john_doe', classification: 'PUBLIC' },
email: { value: 'john@example.com', classification: 'INTERNAL' },
ipAddress: { value: '192.168.1.1', classification: 'INTERNAL' },
password: { value: 'secretpassword', classification: 'RESTRICTED' }
});
Example 4: API Response Classification
function filterResponseByClassification(data, userRole) {
const clearanceLevels = {
'public': ['PUBLIC'],
'user': ['PUBLIC', 'INTERNAL'],
'admin': ['PUBLIC', 'INTERNAL', 'CONFIDENTIAL']
};
const allowedClassifications = clearanceLevels[userRole] || ['PUBLIC'];
const filtered = {};
for (const [key, value] of Object.entries(data)) {
const classification = value?.classification || 'INTERNAL';
if (classification === 'RESTRICTED') {
continue;
}
if (allowedClassifications.includes(classification)) {
filtered[key] = value.data || value;
}
}
return filtered;
}
app.get('/api/user/:id', requireAuth, async (req, res) => {
const user = await db.users.findById(req.params.id);
const userData = {
username: { data: user.username, classification: 'PUBLIC' },
email: { data: user.email, classification: 'INTERNAL' },
firstName: { data: user.firstName, classification: 'CONFIDENTIAL' },
lastName: { data: user.lastName, classification: 'CONFIDENTIAL' },
ssn: { data: user.ssn, classification: 'RESTRICTED' }
};
const filtered = filterResponseByClassification(userData, req.user.role);
res.json(filtered);
});
Example 5: File Classification Metadata
const fs = require('fs');
const xattr = require('fs-xattr');
async function setFileClassification(filePath, classification) {
const validClassifications = ['PUBLIC', 'INTERNAL', 'CONFIDENTIAL', 'RESTRICTED'];
if (!validClassifications.includes(classification)) {
throw new Error(`Invalid classification: ${classification}`);
}
await xattr.set(filePath, 'user.classification', classification);
const permissions = {
'PUBLIC': 0o644,
'INTERNAL': 0o640,
'CONFIDENTIAL': 0o600,
'RESTRICTED': 0o600
};
await fs.promises.chmod(filePath, permissions[classification]);
}
async function getFileClassification(filePath) {
try {
return await xattr.get(filePath, 'user.classification');
} catch (err) {
return 'INTERNAL';
}
}
async function verifyFileHandling(filePath) {
const classification = await getFileClassification(filePath);
switch (classification) {
case 'RESTRICTED':
case 'CONFIDENTIAL':
const encrypted = await isFileEncrypted(filePath);
if (!encrypted) {
throw new Error(`${classification} file must be encrypted: ${filePath}`);
}
break;
case 'INTERNAL':
const stats = await fs.promises.stat(filePath);
if (stats.mode & 0o004) {
throw new Error(`INTERNAL file must not be world-readable: ${filePath}`);
}
break;
}
}
Example 6: Secure Deletion by Classification
const crypto = require('crypto');
const fs = require('fs').promises;
async function secureDelete(filePath, classification) {
const stats = await fs.stat(filePath);
const fileSize = stats.size;
switch (classification) {
case 'PUBLIC':
case 'INTERNAL':
await fs.unlink(filePath);
break;
case 'CONFIDENTIAL':
for (let i = 0; i < 3; i++) {
const randomData = crypto.randomBytes(fileSize);
await fs.writeFile(filePath, randomData);
}
await fs.unlink(filePath);
break;
case 'RESTRICTED':
for (let i = 0; i < 7; i++) {
const randomData = crypto.randomBytes(fileSize);
await fs.writeFile(filePath, randomData);
const fd = await fs.open(filePath, 'r+');
await fd.sync();
await fd.close();
}
await fs.writeFile(filePath, Buffer.alloc(fileSize, 0));
await fs.unlink(filePath);
break;
}
logger.info('Secure deletion completed', {
file: filePath,
classification: classification,
timestamp: new Date().toISOString()
});
}
Related ISMS Policies
Related Documentation
Compliance Mapping
ISO 27001:2022
- A.5.12 Classification of information
- A.5.13 Labelling of information
- A.5.14 Information transfer
- A.8.10 Information deletion
GDPR
- Article 32 - Security of processing (based on sensitivity)
- Article 17 - Right to erasure
NIST Cybersecurity Framework
- PR.DS-5: Protections against data leaks are implemented
- PR.IP-2: A System Development Life Cycle manages systems based on data sensitivity
Enforcement
All data MUST be classified. Violations:
- Unclassified data: Default to INTERNAL until properly classified
- Misclassification: Review and correct immediately
- Improper handling: Incident response, remediation required
- Unauthorized disclosure: Security incident, potential breach notification