Skip to content
Gallery
5x
5X - One Pagers
5X - Bring your own Snowflake
5X - Bring your own Google BigQuery
5X Product Roadmap
Setup Guide: Google Ads to Azure Data Lake Storage on 5X Platform
5X Platform: Architecture of the fully 5X hosted offering
5X Ingestion vs. Self-Hosted Airbyte
Data Classification Review Process at 5X
S3 Bucket Access Review Process
5X S3 Data Lake Ingestion Setup Guide
Recovery Point Objective (RPO) Definition and Implementation at 5X
Recovery Time Objective (RTO) Definition and Implementation at 5X
Customer Responsibilities for Backup, Recovery, and Availability
Multi-region support for the 5X Platform
5X Platform: Comprehensive DORA Compliance Assessment and Roadmap
Embedding 5X BI Dashboards
5X - Setting Up GitHub Merge-Triggered Workflows Using 5X Webhooks
Action Plan: AWS Support Alternative Strategy
Embedding 5X BI Dashboards
System backup policy and procedures
5X Offsite Storage Policy
Policy and procedures for Problem Management
SDLC Process Document
5X Network Configuration Standards
5X Data Apps: Connecting to Google BigQuery
5X: Proposed Architecture on GCP
5X Semantic Layer Roadmap
Share
Explore

Data Classification Review Process at 5X

1. Introduction

Every organization handles different types of data with varying levels of sensitivity. At 5X, we process a wide spectrum of information, from public marketing content to highly sensitive customer data. Data classification is the systematic process of categorizing data based on its sensitivity, value, and criticality to the organization.
This document outlines 5X's comprehensive approach to data classification, providing detailed guidance on how we identify, categorize, and protect different types of information. By following a structured classification process, we ensure that appropriate security controls are applied consistently across our environment, thereby protecting sensitive information while allowing efficient access to data that can be more widely shared.
Data classification is not merely a checkbox for compliance; it forms the foundation of our entire security program. Without understanding what data we have and how sensitive it is, we cannot make informed decisions about how to protect it. This process enables us to allocate security resources effectively, focusing our strongest controls on our most sensitive data assets.

2. Purpose and Scope

2.1 Purpose

The purpose of this data classification review process is multifaceted:
Establish Consistent Classification Criteria: By defining clear, objective criteria for determining data sensitivity, we remove ambiguity and ensure that similar types of data receive consistent classification regardless of who performs the assessment. This consistency is critical for maintaining appropriate security across all systems and departments.
Apply Appropriate Controls: Different types of data require different levels of protection. By classifying data according to its sensitivity, we can implement security controls proportional to the risk. This approach prevents both under-protection (which creates security vulnerabilities) and over-protection (which wastes resources and impedes legitimate business activities).
Support Regulatory Compliance: Many regulations, including GDPR, CCPA, and industry-specific requirements, mandate the protection of certain types of data. Our classification process helps identify data subject to regulatory requirements, ensuring we apply the necessary controls to maintain compliance.
Risk Reduction: By identifying sensitive data and applying appropriate controls, we systematically reduce the risk of data breaches, unauthorized access, and other security incidents that could harm our customers, damage our reputation, or result in regulatory penalties.
Enable Data Governance: Proper classification facilitates broader data governance initiatives, including data retention, data quality management, and data access controls. This comprehensive approach ensures data is not only secure but also managed effectively throughout its lifecycle.

2.2 Scope

This process applies to all data within 5X's environment, including:
All Data Processed by 5X Platforms: This encompasses any information that passes through, is stored within, or is processed by our systems. As our SOC 2 Type II report indicates, 5X maintains a risk-based assessment security program covering various aspects of information security, including data management.
Customer Data Accessed Through 5X Services: As noted in our Security and Compliance Overview, "5X does not store customer data. We operate as a secure layer on top of your chosen data warehouse." However, we do handle metadata related to customer systems, and this metadata must be properly classified and protected.
Internal Business Data: This includes financial information, employee records, strategic plans, and other corporate information that supports our operations but is not directly related to customer services.
All Data Handlers: The process applies to anyone who might access, process, or manage 5X data, including:
Employees (permanent and temporary)
Contractors and consultants
Third-party service providers with access to our systems
Partners and vendors who receive or process our data

3. Data Classification Categories

Based on 5X's Data Management Policy, we have established four distinct classification categories. Each category has a clear definition and examples to help data owners make appropriate classification decisions.

3.1 Public Data

Definition: Information that is deliberately made available to the public without restriction. This information can be freely shared without causing harm to 5X, its customers, or its employees.
Characteristics:
Intentionally released for public consumption
No adverse impact if widely distributed
Often used for marketing, education, or transparency purposes
No authentication required to access
Examples:
Press releases and public announcements
Public website content and marketing materials
Published white papers and case studies
Open-source code contributions
Public API documentation
Company contact information
Job postings and career information
Security Considerations: While public data requires no confidentiality protection, it may still need integrity and availability protections to prevent unauthorized modifications or service disruptions that could spread misinformation or damage 5X's reputation.

3.2 Internal Data

Definition: Information intended for use within 5X that should not be shared externally without proper authorization. While not highly sensitive, unauthorized disclosure could cause minor harm or embarrassment to the organization.
Characteristics:
Created for internal operations and communications
Limited value to competitors or malicious actors
Not subject to strict regulatory requirements
Moderate business impact if disclosed
Examples:
Internal memos and communications
Meeting minutes and project plans
Design documents and product specifications
Internal policies and procedures
Employee directories and organizational charts
Internal training materials
Non-sensitive operational metrics
General business correspondence
Security Considerations: Internal data requires basic access controls to prevent unauthorized external disclosure. Authentication mechanisms should ensure that only 5X personnel and authorized contractors can access this information. Particular attention should be paid to access termination when employees leave the organization.

3.3 Customer Data

Definition: Information received from or related to customers for processing, storage, or analysis. This category includes data that customers entrust to 5X as well as metadata about customer environments and usage patterns.
Characteristics:
High value to customers and 5X
Often subject to contractual confidentiality obligations
May contain sensitive business information or personal data
Could cause significant harm if compromised
Examples:
Customer operating data
Customer personally identifiable information (PII)
Customers' customers' PII
Usage patterns and analytics
Customer account credentials
Service configuration data
Any data subject to confidentiality agreements
Metadata about customer environments
Security Considerations: As outlined in our SOC 2 report, customer data "must uphold the highest possible levels of integrity, confidentiality, and restricted availability." This requires strong encryption (AES-256 as noted in our Privacy Policy), strict access controls, comprehensive logging, and regular access reviews. All customer data must be handled in accordance with our Data Processing Addendum.

3.4 Company Data

Definition: Highly sensitive internal information that relates to 5X's operations, strategies, personnel, or financial status. Unauthorized disclosure could significantly harm 5X's competitive position, financial stability, or employee privacy.
Characteristics:
Critical to business operations
High competitive value
Often subject to regulatory requirements
Significant negative impact if disclosed
Examples:
Legal documents and contracts
Intellectual property and trade secrets
Strategic plans and product roadmaps
Financial data and projections
Employee personal information
Salary and compensation details
Authentication credentials
Security architecture details
Security Considerations: Company data requires the highest level of internal protection, with access strictly limited based on necessity. Encryption, multi-factor authentication, detailed access logging, and regular access reviews are essential. Special attention must be paid to data handling during mergers, acquisitions, or other significant corporate events.

4. Data Classification Review Process

The data classification process at 5X is not a one-time activity but an ongoing cycle that ensures our data receives appropriate protection throughout its lifecycle. This section provides a detailed explanation of how we identify, classify, review, and update classifications for all data assets.

4.1 Initial Classification

The first step in managing data security is identifying and classifying data when it first enters our environment or when new systems are deployed.

4.1.1 Data Owner Identification

Process: For each system, application, dataset, or repository, we identify a specific individual who serves as the Data Owner. This person has the authority and responsibility to make decisions about how the data is used, shared, and protected.
Selection Criteria: Data Owners are typically:
Department heads or directors responsible for the business function that generates or uses the data
Product managers for data related to specific products or services
IT leaders for infrastructure or system-generated data
Individuals with subject matter expertise related to the data
Responsibilities: Data Owners must understand:
The business value and purpose of the data
Any regulatory or contractual requirements
How the data is used throughout the organization
The potential impact if the data were compromised
Documentation: Data Ownership is documented in the Data Classification Register, which is maintained in our Vanta system. This assignment is reviewed annually to ensure it remains appropriate as organizational roles change.

4.1.2 Data Inventory Creation

Process: Before data can be classified, it must be identified and documented. Our IT and Security teams collaborate with Data Owners to create a comprehensive inventory of all data assets.
Inventory Components:
Data asset name and description
System(s) where the data resides
Data formats and structures
Data volume and growth projections
Source of the data
Data retention requirements
Current access controls
Current backup and recovery procedures
Integration points with other systems
Tools and Methods:
Automated data discovery tools scan our environment to identify potential sensitive data
System architecture reviews document data flows
Application owners provide details about data processed by their systems
Interviews with key personnel identify "shadow IT" and undocumented data repositories
Maintenance: The inventory is updated whenever new systems are deployed, existing systems are modified, or new data types are introduced. A full review occurs annually to ensure completeness.

4.1.3 Classification Assessment

Process: Once data assets are identified, Data Owners complete a structured Data Classification Assessment to determine the appropriate classification level.
Assessment Areas:
Data Sensitivity Evaluation:
Does the data contain personal information?
Would unauthorized disclosure harm individuals?
Would unauthorized disclosure damage 5X's reputation or competitive position?
Is the data intended for public disclosure?
Regulatory Requirements Identification:
Is the data subject to specific regulations (e.g., GDPR, CCPA, HIPAA)?
Do these regulations impose specific security or privacy requirements?
Are there notification requirements in case of a breach?
Business Impact Analysis:
What would be the financial impact of data loss or unauthorized disclosure?
Would operations be disrupted if the data were unavailable?
How would partners or customers be affected by a data incident?
Privacy Implications:
Does the data include information about identifiable individuals?
Was the data collected with specific consent or for specific purposes?
Are there limitations on how the data can be used or shared?
Assessment Method: The assessment uses a standardized questionnaire with weighted scoring to provide an initial classification recommendation. This ensures consistency across different assessors and data types.

4.1.4 Classification Determination

Process: Based on the assessment results, Data Owners assign the appropriate classification level to each data asset.
Decision Factors:
Assessment score and recommended classification
Business context and usage requirements
Aggregation considerations (data that is not sensitive in isolation may become sensitive when combined)
Regulatory and contractual obligations
Risk tolerance for the specific data type
Validation: The Security team reviews all classifications for:
Consistency across similar data types
Alignment with policy requirements
Appropriate consideration of regulatory factors
Reasonable balance between security and accessibility
Conflict Resolution: When there are disagreements about the appropriate classification:
The Security team and Data Owner discuss the reasoning for their positions
If agreement cannot be reached, the matter is escalated to the Information Security Officer
For significant or high-impact decisions, the executive team may be consulted
The final decision is documented along with the reasoning

4.2 Periodic Review

Data sensitivity can change over time due to evolving business needs, regulatory changes, or shifts in the threat landscape. Regular reviews ensure classifications remain appropriate.

4.2.1 Scheduled Reviews

Review Frequency:
Quarterly Reviews for Customer and Company Data: These categories contain our most sensitive information, so more frequent reviews ensure protection remains appropriate. The quarterly process focuses on:
Changes in data handling or processing
New regulatory requirements
Modified access patterns
Security incidents or near-misses that might indicate insufficient controls
Annual Reviews for Internal and Public Data: Less sensitive data undergoes a comprehensive annual review, which includes:
Verification that public data is still intended for public consumption
Confirmation that internal data hasn't increased in sensitivity
Assessment of whether controls remain appropriate
Validation that data is still actively used and required
Ad-hoc Reviews triggered by:
Significant system changes or upgrades
New business initiatives or partnerships
Regulatory developments
Mergers, acquisitions, or divestitures
Security incidents affecting similar data types
Scheduling and Tracking: The Security team maintains a review calendar and sends automated reminders to Data Owners when reviews are due. Completion status is tracked, and escalations occur when reviews are delayed.

4.2.2 Review Methodology

Process: The review methodology is designed to be thorough yet efficient, focusing on meaningful changes rather than bureaucratic checkbox exercises.
Review Steps:
Verification of Inventory Accuracy:
Is all data accounted for in the current inventory?
Have any data repositories been decommissioned or archived?
Has new data been introduced that isn't yet classified?
Have data flows or integrations changed?
Assessment of Classification Appropriateness:
Has the business value or sensitivity of the data changed?
Have new uses for the data emerged that affect its sensitivity?
Has external guidance on similar data types evolved?
Have threat actors shown increased interest in this type of data?
Identification of New Data Types:
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.