#56: Classify This | Why Data Classification Matters

Season #1 June 05, 2025

In this episode of Cash in the Cyber Sheets, we take a bold step away from convention and dig into one of the most misunderstood yet crucial components of an information security program: data classification levels.

Most organizations default to CISA’s Traffic Light Protocol (TLP) for labeling data, but we’ve taken a different route. While TLP is helpful for public-private information sharing, it lacks the granularity and operational context needed for meaningful internal use. Our classification system was designed to solve that problem by clarifying risk exposure, enhancing threat modeling, and helping you understand where your crown jewels actually live.

We walk through how our classification levels are structured, where they differ from TLP, and why those differences matter. You’ll learn how a refined data classification model improves risk assessments, supports accurate network diagrams, sharpens data mapping efforts, and gives threat modeling the clarity it desperately needs.

You’ll also hear how vague or oversimplified classification systems can derail internal reviews, leading to incomplete threat identification and overlooked vulnerabilities. On the other hand, our approach gives teams a practical way to define what matters most, where it’s located, and how it could be exposed.

This isn’t theory for theory’s sake. If you're conducting a risk assessment, building out network architecture, or performing a gap analysis, our model offers structure that translates directly into action. Whether you're a vCISO, MSP, or an overwhelmed IT lead trying to secure a growing business, this episode arms you with a better lens for managing sensitive information.

Pour your drink of choice and join us for a conversation that could mean the difference between seeing risk in the fog and seeing it in high resolution.

Check our our companion article about data classification at: What is a Data Classification Policy?

Episode Transcript

I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.

Welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today. And so much has been going on that I didn't even realize that we actually passed a one year mark of Cash in the Cyber Sheets, 52 different episodes.

Now this is going to be 56, 57, somewhere in the 50s, but past that whole year. So I don't know. It feels kind of like a birthday at this age, kind of exciting, but not tons of fanfare.

Just happy, happy it's still around. But thank you for sticking with us for the time and as we've continued to grow and get more set up in Cash in the Cyber Sheets, really excited to see what the next year is going to bring now that we've gotten, I think a lot of the basics down and just need to live true to the Input Output whole thing of be better.

So really excited to see what the next year brings, but thank you so much. And as we go into today's episode, I really just wanted to spend a little bit of time today talking about, we're putting a blog out this week, talking about data classification policy, what that is, going into some details. And we'll have more on the website on our, obviously in our WISP, but there's a few things that I think are really important that I felt, I don't know, like a little bit got lost in the, in the article itself and just wanted to dive into that.

So not a super deep episode today, but I think some pretty important things of what you absolutely don't want to miss with your data classification policy and why it's so important and also why we set it up the way we do a little bit different than other classification policies, a little bit different than other schemas and why that can make such a big difference in your entire security program. Before we get into that, and since we're now past our first year, please click that subscribe, click that like wherever you're listening to us at YouTube, Spotify, Apple. We'd love to have your comments.

Here's some things that are working well for you, things that you would like us to talk about and we'd just like to have you part of the show. So please click that like and subscribe. With that said, let's go ahead and jump in.

This is, again, this is really tying into our article this week. What is a data classification policy? And I am not going to read the article. I'm not going to go into every single little detail, but did want to go into some of the important parts.

So high level data classification policy, it really tells people in your organization, people that have the data outside of your organization, the sensitivity of a different piece of information, a different asset, and really what you can and can't do with it. Anywhere from typically like public data that just everybody can have it, blog posts, marketing materials, things like that, all the way up to top secret kind of trade secrets, Coca-Cola recipe, things like that, that if it gets out, it's going to bury the company. And honestly, even though there's trade secrets, sometimes they won't bury the company, just really bad if they get out.

And kind of everything in between. So what the data classification policy is going to look at is really it's going to give the guidelines for how you classify data, how you handle it, and ultimately how you protect it, all of the handling requirements, so on and so forth. Now, a lot of companies think that this is just something that larger companies need.

And especially now with all the new regulations, with so many privacy requirements, it never was just for big companies. But even more now, it's for really any company that has any type of sensitive data. And you need to make sure that you're classifying your data correctly, that you're identifying what do we have that's public, what do we have that's more sensitive, and how are we going to appropriately manage the security and access to those different classifications to those that different sets of data to those different assets? How are we going to manage that? Okay, so the classification levels, this is really where I wanted to start diving in because I think this is often overlooked as a just get something put down so that we've got the classification policy and move on to other stuff.

And I think it's very important because when especially we start doing risk assessments, when we start doing data models and threat models, this has a huge impact as to how usable and would even say easy, it makes it to perform some of those different actions and how kind of small tweaks here can really impact how successful those are. And we're going to get into it. So our classification levels, we really go a lot in line with CISA's traffic light protocol, the TLP.

So you have TLP, traffic light protocol, white, which is public data. This is anybody can have access to this. There's no restriction on it.

You don't need to sign any type of NDA, just it's public. Blog posts, newspaper articles, things on the website, that would all be TLP white. Next step would be a TLP green, and this is typically internal use.

It's not going to cause serious harm if it gets out, but we're not giving it to everybody. In some examples of this, again, depending on risk for the organization, but this could be like an employee schedule or internal contact list. Maybe it's unapproved marketing materials.

We haven't put it out yet, but we're eventually going to probably. So if it gets out again, it's not going to bury the company. And sometimes these are only shared with internal people in the organization.

Other times it's with those with a supporting need to know, so like outside marketing teams, things like that. But overall, we're not getting crazy with how we're trying to manage this. Now, the next step is where it starts getting a bit more serious.

And here's where our difference comes in. TLP amber is confidential. That's anything internal to the organization.

We don't want that to get out. That is financial records, say QuickBooks files, different documents. And we would typically only share this if there's an NDA.

And a need to know now the new traffic light protocol breaks up TLP amber and TLP amber strict. What we do is rather than using TLP red that they've got is our next step is TLP red. So this is a little bit hard to, as I, as I thought through it here, I feel like it should have a white board.

But TLP red, our next step is restricted. We really think of that as absolute need to know if you don't need to know it for your, for your job or your particular job task, you don't need access to it. And this is really, really where we put PII, PHI, all of that kind of privacy restricted information, all is in TLP red restricted.

In our classification, in the TLP traffic light protocol, that would typically be TLP amber dash strict. Where TLP red on the typical traffic light protocol would mean critical and top secret. That's what we classify as purple.

And here's why it seems like an annoying difference. It seems like, why would this matter? But when you look at all of these different colors, when you look at the different classifications, it doesn't so much matter on the bottom of a document. That's pretty easy.

TLP amber strict, TLP red, pretty easy to identify. But when you start doing data flow models, when you start doing threat modeling, and that's just basically drawing everything on a whiteboard and starting to identify where do we have our data, where do we have our assets? When you have it broken up with these multiple different colors, we can quickly identify databases that are red, TLP red, that's PII, that's PHI. If there's a data breach there, that's a privacy issue.

If it's amber, we know it's confidential data and we can, we can gauge that to see how impactful will that be to the organization, maybe these databases over here, like Canva is in a green box to show internal use only, but again, if it gets out, not a big deal. When you use the TLP amber, TLP amber strict, where you put too much of your classification into, say, just confidential or into restricted, what ends up happening is when you do your data models, when you do your threat modeling, you just have a lot of one single color. It loses its viability.

It's almost like creating a life-size map. It, you losing the utility of that classification, whereas when you break it up a bit differently, and where we draw that line is again, between the amber and the restricted, the amber and the red for company, private data, PII, PHI, private financial data, whatever you want to call it. When you break it up in that way, you can quickly start seeing just by looking at a threat model, at a data map, where do we have our biggest exposure? Where do we need to make sure we're locking things down? Or if we have a sea of red, how can we start consolidating things to start reducing our risk? And in all of the threat model exercises that we've done in all of the network diagramming, it always provides much more insight and much more clarity.

Even just at an initial glance, what do we have? Where's it at? Where do we need to protect? Where are we exposed? That's really the reason that we split it up, that we deviate a bit from the typical CISA traffic light protocol and why all of the clients that we take through are WISP, through all of our virtual CISO engagements, through all of our consulting, we recommend splitting it up in the same way so that you actually have utility. Reason we've got the purple critical top secret, most companies don't have any of that, they don't have trade secrets like a Coca-Cola's recipe or KFC's 13 spices that would put them out of business or greatly impact their viability if it got out. And even if they do, that shows up on a data flow, that shows up on a network diagram threat model very, very quickly.

And you can quickly see what do we have here? What do we need to test? You can also, when you build your network diagrams, all of those different type of modeling exercises, it's quickly, you're able to quickly pull out where do we need to audit, you can create schedules, it's just, again, in many years of experience that we've been doing this is why I would recommend splitting it up in that way. Whereas if you just go by a strict traffic light protocol or just typically a four layer classification schema, what's going to happen is you're going to see that the majority of all of your data fits in one of those classifications. And again, you just start to lose some of the utility.

That's my recommendation. That's again, how we do things. And if you look at the blog posts, we'll have this in the, in the description of the podcast, it'll go into a lot more detail of everything with the data classification policy, with the structure, things that you need to have in there, the different components like classification, labeling, handling, data retention, even DLP, data loss prevention, or data loss protection, depending on how you want to say it, has a lot of that information.

But really where I wanted to talk today, and we did, is about that separation in the classification levels and why that's so important and how that can make your other exercises, your risk assessment, your modeling, and everything else that you do much more impactful. Thank you very much for listening to us today. Again, leave us a comment.

If there's things you like, things you would like us to talk about, also always happy to hear about things that are working for you and your organization, please leave those in the comments, click that like. And until next time, thanks for listening. Thanks for joining us today.

Don't forget, click that subscribe button, leave us a review and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential.

So stay secure, stay compliant, and we'll catch you next week on cash in the cyber sheets. Goodbye for now.