Given the importance of protecting data at all times and in all places, the most critical data management task is data classification. Ideally, data is classified immediately upon creation by the entity that creates the data. If this is not done, data needs to be reviewed and classified by others based on the organization's information governance guidelines. Information governance represents the policies and procedures for managing all data and should include the following:

• Information classification: High-level descriptions of critical information categories. The goal is to define high-level categories to determine appropriate security controls.
• Information management policies: Policies that define allowed activities for different data types.
• Location and jurisdictional policies: Where data can be located geographically. Legal and regulatory restrictions drive this.
• Authorizations: Define which employee/user types are allowed to use or access which types of information.
• Ownership: The ultimately responsible party for the protection of information.
• Custodianship: Who is responsible for managing the information, at the direction of the owner.

When classifying data, best practice suggests that the schema used should, at a minimum, address the following eight key areas:

• Data type (format, structure)
• Information context
• Jurisdiction and other legal constraints
• Data ownership
• Trust levels and source of origin
• Contractual obligations or business constraints
• Value, sensitivity, and criticality of data to the organization
• Obligation for retention and preservation

The classification categories should match the data controls used.