Claude-skill-registry data-classification
Data classification framework including sensitivity levels, handling requirements, labeling, and data lifecycle management
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/data-classification" ~/.claude/skills/majiayu000-claude-skill-registry-data-classification && rm -rf "$T"
manifest:
skills/data/data-classification/SKILL.mdsource content
Data Classification
Comprehensive guidance for data classification, handling requirements, and data lifecycle management.
When to Use This Skill
- Establishing data classification policies
- Defining handling requirements for different data types
- Designing data protection controls by classification
- Implementing data labeling and tagging
- Creating data retention and disposal procedures
Classification Framework
Standard Sensitivity Levels
| Level | Description | Examples | Impact of Breach |
|---|---|---|---|
| Public | Intentionally public | Marketing, published docs | None |
| Internal | General business use | Policies, org charts | Minimal |
| Confidential | Business sensitive | Financial reports, contracts | Moderate |
| Restricted | Highly sensitive | PII, PHI, trade secrets | Severe |
| Top Secret | Critical/regulated | Encryption keys, M&A data | Catastrophic |
Visual Labeling
┌─────────────────────────────────────────┐ │ █ PUBLIC │ Green ├─────────────────────────────────────────┤ │ █ INTERNAL - For Internal Use Only │ Blue ├─────────────────────────────────────────┤ │ █ CONFIDENTIAL - Authorized Only │ Yellow ├─────────────────────────────────────────┤ │ █ RESTRICTED - Need-to-Know Only │ Orange ├─────────────────────────────────────────┤ │ █ TOP SECRET - Strictly Controlled │ Red └─────────────────────────────────────────┘
Handling Requirements Matrix
By Classification Level
| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Access Control | None | Authentication | RBAC | Need-to-know + MFA |
| Encryption at Rest | Optional | Recommended | Required | Required + HSM |
| Encryption in Transit | HTTPS | TLS 1.2+ | TLS 1.2+ | TLS 1.3 + mTLS |
| Backup | Standard | Standard | Encrypted | Encrypted + geo-separate |
| Sharing External | Allowed | Approval | NDA required | Prohibited |
| Cloud Storage | Any | Approved cloud | Approved + encryption | On-premises or approved |
| Allowed | Allowed | Watermarked | Prohibited/tracked | |
| Retention | As needed | 3 years | 7 years | 7 years + legal hold |
| Disposal | Standard delete | Secure delete | Cryptographic erase | Physical destruction |
Data Flow Controls
Restricted Data Flow: ┌──────────────┐ Encrypted ┌──────────────┐ │ Source │ ───────────────▶ │ Destination │ │ System │ │ System │ └──────────────┘ └──────────────┘ │ │ ▼ ▼ Audit Log Audit Log │ │ ▼ ▼ ┌────────────────────────────────────────────┐ │ SIEM / Monitoring │ └────────────────────────────────────────────┘
Classification Implementation
.NET Data Annotation Approach
// Classification attributes [AttributeUsage(AttributeTargets.Property | AttributeTargets.Class)] public class DataClassificationAttribute : Attribute { public DataClassification Level { get; } public string? DataCategory { get; set; } public string? RetentionPolicy { get; set; } public string[] RequiredRoles { get; set; } = Array.Empty<string>(); public DataClassificationAttribute(DataClassification level) { Level = level; } } public enum DataClassification { Public = 0, Internal = 1, Confidential = 2, Restricted = 3, TopSecret = 4 } // Usage on domain models public class Customer { public Guid Id { get; set; } [DataClassification(DataClassification.Internal)] public string Name { get; set; } = string.Empty; [DataClassification(DataClassification.Restricted, DataCategory = "PII", RequiredRoles = new[] { "CustomerAdmin", "Support" })] public string Email { get; set; } = string.Empty; [DataClassification(DataClassification.Restricted, DataCategory = "PII", RetentionPolicy = "7years")] public string SocialSecurityNumber { get; set; } = string.Empty; [DataClassification(DataClassification.Confidential, DataCategory = "Financial")] public decimal CreditLimit { get; set; } }
Classification-Based Access Control
public class ClassificationAuthorizationHandler : AuthorizationHandler<DataAccessRequirement, object> { protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, DataAccessRequirement requirement, object resource) { var classificationAttr = resource.GetType() .GetCustomAttribute<DataClassificationAttribute>(); if (classificationAttr == null) { context.Succeed(requirement); return Task.CompletedTask; } var userClearance = GetUserClearanceLevel(context.User); // User clearance must meet or exceed data classification if ((int)userClearance >= (int)classificationAttr.Level) { // Check role requirements if specified if (classificationAttr.RequiredRoles.Length > 0) { var hasRequiredRole = classificationAttr.RequiredRoles .Any(r => context.User.IsInRole(r)); if (hasRequiredRole) { context.Succeed(requirement); } } else { context.Succeed(requirement); } } return Task.CompletedTask; } }
Field-Level Encryption
public class ClassificationBasedEncryption { private readonly IEncryptionService _encryptionService; public async Task<T> ProtectData<T>(T data, CancellationToken ct) where T : class { var properties = typeof(T).GetProperties() .Where(p => p.GetCustomAttribute<DataClassificationAttribute>() != null); foreach (var prop in properties) { var attr = prop.GetCustomAttribute<DataClassificationAttribute>()!; if (attr.Level >= DataClassification.Confidential) { var value = prop.GetValue(data) as string; if (!string.IsNullOrEmpty(value)) { var encrypted = await _encryptionService.Encrypt(value, ct); prop.SetValue(data, encrypted); } } } return data; } }
Data Discovery and Inventory
Automated Classification
public class DataDiscoveryService { private readonly IRegexPatternMatcher _patternMatcher; public ClassificationSuggestion AnalyzeContent(string content) { var detections = new List<DataTypeDetection>(); // Check for PII patterns if (_patternMatcher.ContainsPattern(content, PiiPatterns.SocialSecurityNumber)) detections.Add(new DataTypeDetection("SSN", DataClassification.Restricted)); if (_patternMatcher.ContainsPattern(content, PiiPatterns.CreditCard)) detections.Add(new DataTypeDetection("Credit Card", DataClassification.Restricted)); if (_patternMatcher.ContainsPattern(content, PiiPatterns.Email)) detections.Add(new DataTypeDetection("Email", DataClassification.Confidential)); if (_patternMatcher.ContainsPattern(content, PiiPatterns.PhoneNumber)) detections.Add(new DataTypeDetection("Phone", DataClassification.Confidential)); // Check for financial patterns if (_patternMatcher.ContainsPattern(content, FinancialPatterns.BankAccount)) detections.Add(new DataTypeDetection("Bank Account", DataClassification.Restricted)); // Determine highest classification var suggestedLevel = detections.Any() ? detections.Max(d => d.Classification) : DataClassification.Internal; return new ClassificationSuggestion { SuggestedLevel = suggestedLevel, Detections = detections, Confidence = CalculateConfidence(detections) }; } } public static class PiiPatterns { public static readonly string SocialSecurityNumber = @"\b\d{3}-\d{2}-\d{4}\b"; public static readonly string CreditCard = @"\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b"; public static readonly string Email = @"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b"; public static readonly string PhoneNumber = @"\b\d{3}[-.]?\d{3}[-.]?\d{4}\b"; }
Data Inventory Template
Data Inventory Entry: asset_id: DATA-001 name: Customer Database description: Master customer records owner: Customer Service Department custodian: IT Operations location: - Azure SQL Database (prod-sql-001) - Daily backup to Azure Blob Storage data_categories: - PII (names, emails, addresses) - Financial (payment history, credit limits) - Behavioral (purchase history) classification: Restricted volume: ~2M records sensitivity_reason: Contains PII and financial data regulatory_requirements: - GDPR (EU customers) - CCPA (California customers) retention: active: Duration of customer relationship archived: 7 years after relationship ends access: roles: - CustomerAdmin (full access) - Support (read-only) - Analytics (anonymized only) mfa_required: true vpn_required: true encryption: at_rest: AES-256 (Transparent Data Encryption) in_transit: TLS 1.3 backup: frequency: Daily retention: 30 days tested: Monthly last_review: 2025-01-15 next_review: 2025-07-15
Data Lifecycle Management
Lifecycle Stages
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ Create │───▶│ Store │───▶│ Use │───▶│ Archive │───▶│ Destroy │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ │ ▼ ▼ ▼ ▼ ▼ Classify Encrypt Monitor Restrict Certify Label Access Ctrl Audit Log Read-only Disposal
Retention Policy Implementation
public class DataRetentionService { private readonly IRetentionPolicyProvider _policies; private readonly IAuditLogger _auditLogger; public async Task ApplyRetentionPolicies(CancellationToken ct) { var policies = await _policies.GetActivePolicies(ct); foreach (var policy in policies) { var expiredData = await FindExpiredData(policy, ct); foreach (var item in expiredData) { switch (policy.Action) { case RetentionAction.Archive: await ArchiveData(item, policy, ct); break; case RetentionAction.Anonymize: await AnonymizeData(item, policy, ct); break; case RetentionAction.Delete: await SecureDelete(item, policy, ct); break; } await _auditLogger.LogRetentionAction(item, policy, ct); } } } private async Task SecureDelete(DataItem item, RetentionPolicy policy, CancellationToken ct) { var classification = item.Classification; switch (classification) { case DataClassification.Public: case DataClassification.Internal: // Standard deletion await _repository.Delete(item.Id, ct); break; case DataClassification.Confidential: // Secure deletion with verification await _repository.SecureDelete(item.Id, ct); await VerifyDeletion(item.Id, ct); break; case DataClassification.Restricted: case DataClassification.TopSecret: // Cryptographic erasure + verification await _encryptionService.DestroyKey(item.EncryptionKeyId, ct); await _repository.SecureDelete(item.Id, ct); await VerifyDeletion(item.Id, ct); await GenerateDeletionCertificate(item, ct); break; } } }
Disposal Certification
public class DisposalCertificate { public required Guid CertificateId { get; init; } public required DateTimeOffset DisposalDate { get; init; } public required string DataDescription { get; init; } public required DataClassification Classification { get; init; } public required string DisposalMethod { get; init; } public required string PerformedBy { get; init; } public required string WitnessedBy { get; init; } public required string VerificationMethod { get; init; } public required bool VerificationPassed { get; init; } public string? Notes { get; init; } }
Labeling and Tagging
Document Labeling
public class DocumentLabeler { public async Task<LabeledDocument> ApplyLabel( Document document, DataClassification classification, CancellationToken ct) { var label = new ClassificationLabel { Level = classification, AppliedAt = DateTimeOffset.UtcNow, AppliedBy = _currentUser.Id, ExpiresAt = classification >= DataClassification.Confidential ? DateTimeOffset.UtcNow.AddYears(1) // Require re-classification : null }; // Add visual header/footer if (document.Type == DocumentType.Word || document.Type == DocumentType.PDF) { await AddVisualLabel(document, label, ct); } // Add metadata document.Metadata["classification"] = classification.ToString(); document.Metadata["classification_date"] = label.AppliedAt.ToString("O"); document.Metadata["classification_by"] = label.AppliedBy; // Apply protection if (classification >= DataClassification.Confidential) { await ApplyProtection(document, classification, ct); } return new LabeledDocument { Document = document, Label = label }; } }
Classification Policy Template
# Data Classification Policy ## 1. Purpose Establish consistent data handling based on sensitivity. ## 2. Scope All data created, collected, stored, or processed by [Organization]. ## 3. Classification Levels ### 3.1 Public Data intended for public disclosure. - **Examples**: Marketing materials, press releases - **Handling**: No special requirements ### 3.2 Internal General business information. - **Examples**: Policies, procedures, org charts - **Handling**: Access limited to employees ### 3.3 Confidential Business-sensitive information. - **Examples**: Financial reports, contracts, strategies - **Handling**: Need-to-know access, encryption required ### 3.4 Restricted Highly sensitive, regulated data. - **Examples**: PII, PHI, payment card data - **Handling**: Strict access control, MFA, encryption, audit logging ## 4. Roles and Responsibilities ### Data Owner - Assign classification level - Approve access requests - Review classification annually ### Data Custodian - Implement technical controls - Manage access permissions - Monitor for violations ### All Employees - Handle data per classification - Report misclassification - Protect sensitive data ## 5. Handling Requirements [See matrix above] ## 6. Non-Compliance Violations subject to disciplinary action. ## 7. Review Policy reviewed annually.
Classification Checklist
Implementation
- Define classification levels
- Create handling requirements matrix
- Identify data owners
- Conduct data inventory
- Apply classifications to existing data
- Implement technical controls
- Train employees
Ongoing
- Annual classification review
- New data assessment
- Access review
- Control effectiveness testing
- Policy updates
Cross-References
- GDPR:
for personal datagdpr-compliance - HIPAA:
for health datahipaa-compliance - Security:
for controlssecurity-frameworks