Data and Information Inventory and Attributes

Description — The access control classification for this Data and Information type — who is authorized to view, create, modify, or delete instances of this type.

Benefit(s) — Provides a governance-level access control statement independent of any specific system’s permission model. Enables consistent access governance across all systems that hold copies of this type.

Source — Manual.

Examples — Public (unrestricted read), Internal (authenticated employees), Restricted (named roles only), Confidential (Owner-approved access list), Classified (need-to-know with formal approval)

Notes — Distinct from Sensitivity Classification, which describes what the data is. Access Classification describes who can see it.

Description — Whether instances of this Data and Information type must be encrypted at rest, in transit, or both.

Benefit(s) — Establishes a governance-level encryption mandate that applies across all systems, data stores, and integrations handling this type — preventing inconsistent encryption implementation across the technology portfolio.

Source — Manual.

Examples — At Rest and In Transit (PII, PHI, PCI types), In Transit Only (Internal operational data), Not Required (Public data)

Notes — Derive from Sensitivity Classification: PII, PHI, PCI, PFI types typically require encryption both at rest and in transit as a regulatory baseline.