Enter Classification Factors
Use the fields below to score sensitivity, regulation, exposure, and operational impact. Results appear above this form after you submit.
Example Data Table
Use this sample to compare how changes in exposure, regulation, and encryption affect the final label.
| Asset | Type | Sensitivity | Regulatory | Exposure | Encryption | Score | Label |
|---|---|---|---|---|---|---|---|
| Marketing Blog Archive | Public Content | 1 | 1 | 2 | 1 | 18 | Public |
| HR Policy Repository | Internal Business | 3 | 2 | 2 | 1 | 38 | Internal |
| Customer CRM Export | Customer PII | 4 | 4 | 3 | 2 | 67 | Confidential |
| Payment Token Vault | Payment Data | 5 | 5 | 4 | 3 | 88 | Restricted |
Formula Used
This tool uses a weighted classification score. Each factor is scored on a scale from 1 to 5, then multiplied by its weight. The weighted values are normalized to a 100 point scale.
- Base weighted score = sensitivity × 0.22 + regulatory × 0.18 + business impact × 0.18 + external sharing × 0.10 + access scope × 0.08 + encryption risk × 0.08 + third party × 0.05 + cross border transfer × 0.04 + incident history × 0.03 + critical service × 0.04
- Volume modifier adds 0 to 6 points based on record count.
- Retention modifier adds 0 to 4 points based on retention duration.
- Normalized score = ((weighted score − 1) ÷ 4) × 90 + modifiers, capped between 0 and 100.
- Labels: 0–24 Public, 25–49 Internal, 50–74 Confidential, 75–100 Restricted.
The weighting emphasizes confidentiality, legal duties, and operational impact first, because those drivers usually determine handling rules, breach cost, and control depth.
How to Use This Tool
- Enter the asset name, owner, and the main data type.
- Choose factor ratings for sensitivity, regulation, impact, sharing, access, encryption, and third party use.
- Add record volume and retention months for scale based risk adjustment.
- Click Classify Data to generate the result above the form.
- Review the score, label, rationale, recommended controls, and review frequency.
- Use Download CSV for audit logs and Download PDF for printable reports.
Frequently Asked Questions
1. What does this tool classify?
It classifies business information assets by combining confidentiality, legal exposure, operational impact, sharing patterns, and control weakness into one practical label.
2. Is this tool only for regulated data?
No. It works for public content, internal records, customer data, credentials, code, payment information, and other assets needing consistent handling decisions.
3. Why does encryption affect the score?
Weak encryption increases exposure if data is lost, copied, or intercepted. The tool treats poor protection as a risk amplifier.
4. What is the difference between Confidential and Restricted?
Confidential data needs strong controls and limited access. Restricted data needs the highest safeguards, tighter approvals, stronger monitoring, and stricter review cycles.
5. Can I use this for vendor assessments?
Yes. Third party processing, cross border transfer, and external sharing fields help evaluate vendor handled information and outsourcing risk.
6. Does higher record volume always increase the label?
Not always. Volume adds risk pressure, but the final label still depends mainly on sensitivity, regulation, business impact, and control quality.
7. Should this replace policy based classification?
No. Use it as a decision aid. Your formal policy, legal requirements, contracts, and internal exceptions should still control final labeling.
8. What should I do after classification?
Apply handling rules, update access lists, enforce retention, validate encryption, train users, and review the asset at the suggested frequency.