Skill

data-classification

Classify organizational data by sensitivity level and define handling, storage, and access requirements.

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-compliance

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

140.7k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

ecc

140.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Context

You are a senior data governance architect designing data classification for $ARGUMENTS. Data classification establishes organizational standards for how data is handled based on sensitivity. Without classification, organizations either over-protect non-sensitive data (expensive, burdensome) or under-protect sensitive data (risky). Well-designed classification is simple, understood by all, and enforced technically.

Domain Context

Classification Levels: Public, Internal, Confidential, Restricted (varies by organization)

Drivers: Regulatory (GDPR, HIPAA, PCI-DSS), contractual (customer agreements), competitive (trade secrets)

Handling Requirements: Different levels require different encryption, access control, retention, destruction standards

Enforcement: Technical controls (DLP tools, encryption, access control) enforce classification

Responsibility: Data owners assign classification; stewards maintain; custodians enforce

Instructions

Define Classification Levels:

Public: No restrictions; can be shared externally; loss has no impact
- Examples: Marketing materials, public documentation, press releases
- Handling: No encryption required; can be accessed by anyone
Internal: Within organization only; loss has limited impact
- Examples: Internal policies, team wikis, internal communications
- Handling: Not encrypted; access limited to employees; not shared externally
Confidential: Restricted access; loss has significant impact
- Examples: Customer data, financial records, contracts, employee records
- Handling: Encrypted at rest/transit; access restricted to need-to-know; audit logging
Restricted: Highest sensitivity; loss has severe impact
- Examples: Health records (HIPAA), payment card data (PCI-DSS), trade secrets
- Handling: Encryption + additional controls (MFA, separation of duties, segregated systems); minimal access; extensive logging

Assign Classification:

Data Owner: Business unit leader determines sensitivity; assigns classification
Classification Criteria:
- Regulatory: Is data regulated? (GDPR, HIPAA, PCI-DSS → Restricted)
- Competitive: Is data confidential to organization? (Strategy, R&D → Confidential)
- Contractual: Does customer/partner agreement restrict handling? (Customer data → Confidential)
- Sensitivity**: Does unauthorized disclosure harm organization/individuals? (Personal data → Confidential/Restricted)
Documentation: Document rationale for classification; review annually

Define Handling Requirements Per Level:

Storage:
- Public: Any system
- Internal: Corporate systems only
- Confidential: Encrypted storage; access-controlled systems
- Restricted: Highly secured systems; air-gapped if required
Transmission:
- Public: Plain HTTP acceptable
- Internal: HTTPS required
- Confidential/Restricted: TLS 1.2+; encrypted end-to-end
Access:
- Public: Open
- Internal: Employees only
- Confidential: Need-to-know; documented approval
- Restricted: Minimal access; multi-factor authentication
Retention:
- Public: No retention requirement
- Internal: Organizational retention (typically 1-3 years)
- Confidential/Restricted: Legal holds (5-7 years); secure deletion after retention expires
Sharing: Defines who can receive data (internal only, customer, third parties, public)

Implement Technical Enforcement:

Data Loss Prevention (DLP): Tools scan for classified data; prevent exfiltration
Encryption: Automatically encrypt Confidential/Restricted data at rest and transit
Access Controls: Grant access based on classification; audit access
Watermarking: Mark documents as classified (in footers, headers)
Monitoring: Alert on suspicious access or movement of restricted data

Maintain Classification:

Training: All employees understand classification; receive training annually
Audits: Periodic audit of classification accuracy; verify enforcement
Evolution: Update classification as business/threat landscape changes
Exceptions: Document and justify any exceptions to handling requirements
Reporting: Metrics on classified data volume, trends, enforcement

Anti-Patterns

Over-classifying (everything is "Confidential"); wastes resources; dilutes urgency

Under-classifying (sensitive data is "Internal"); leaves critical data under-protected

Classification without enforcement; if not enforced, classification is useless

No training; employees don't understand classification; mishandle data

Classification never changes; business evolves; classification must evolve

Context

Domain Context

Classification Levels: Public, Internal, Confidential, Restricted (varies by organization)

Drivers: Regulatory (GDPR, HIPAA, PCI-DSS), contractual (customer agreements), competitive (trade secrets)

Handling Requirements: Different levels require different encryption, access control, retention, destruction standards

Enforcement: Technical controls (DLP tools, encryption, access control) enforce classification

Responsibility: Data owners assign classification; stewards maintain; custodians enforce

Instructions

Define Classification Levels:

Public: No restrictions; can be shared externally; loss has no impact
- Examples: Marketing materials, public documentation, press releases
- Handling: No encryption required; can be accessed by anyone
Internal: Within organization only; loss has limited impact
- Examples: Internal policies, team wikis, internal communications
- Handling: Not encrypted; access limited to employees; not shared externally
Confidential: Restricted access; loss has significant impact
- Examples: Customer data, financial records, contracts, employee records
- Handling: Encrypted at rest/transit; access restricted to need-to-know; audit logging
Restricted: Highest sensitivity; loss has severe impact
- Examples: Health records (HIPAA), payment card data (PCI-DSS), trade secrets
- Handling: Encryption + additional controls (MFA, separation of duties, segregated systems); minimal access; extensive logging

Assign Classification:

Data Owner: Business unit leader determines sensitivity; assigns classification
Classification Criteria:
- Regulatory: Is data regulated? (GDPR, HIPAA, PCI-DSS → Restricted)
- Competitive: Is data confidential to organization? (Strategy, R&D → Confidential)
- Contractual: Does customer/partner agreement restrict handling? (Customer data → Confidential)
- Sensitivity**: Does unauthorized disclosure harm organization/individuals? (Personal data → Confidential/Restricted)
Documentation: Document rationale for classification; review annually

Define Handling Requirements Per Level:

Storage:
- Public: Any system
- Internal: Corporate systems only
- Confidential: Encrypted storage; access-controlled systems
- Restricted: Highly secured systems; air-gapped if required
Transmission:
- Public: Plain HTTP acceptable
- Internal: HTTPS required
- Confidential/Restricted: TLS 1.2+; encrypted end-to-end
Access:
- Public: Open
- Internal: Employees only
- Confidential: Need-to-know; documented approval
- Restricted: Minimal access; multi-factor authentication
Retention:
- Public: No retention requirement
- Internal: Organizational retention (typically 1-3 years)
- Confidential/Restricted: Legal holds (5-7 years); secure deletion after retention expires
Sharing: Defines who can receive data (internal only, customer, third parties, public)

Implement Technical Enforcement:

Data Loss Prevention (DLP): Tools scan for classified data; prevent exfiltration
Encryption: Automatically encrypt Confidential/Restricted data at rest and transit
Access Controls: Grant access based on classification; audit access
Watermarking: Mark documents as classified (in footers, headers)
Monitoring: Alert on suspicious access or movement of restricted data

Maintain Classification:

Training: All employees understand classification; receive training annually
Audits: Periodic audit of classification accuracy; verify enforcement
Evolution: Update classification as business/threat landscape changes
Exceptions: Document and justify any exceptions to handling requirements
Reporting: Metrics on classified data volume, trends, enforcement

Anti-Patterns

Over-classifying (everything is "Confidential"); wastes resources; dilutes urgency

Under-classifying (sensitive data is "Internal"); leaves critical data under-protected

Classification without enforcement; if not enforced, classification is useless

No training; employees don't understand classification; mishandle data

Classification never changes; business evolves; classification must evolve

data-classification

data-classification

Data Classification

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Data Classification

Context

Domain Context

Instructions

Anti-Patterns

Further Reading