Classification Decision Tree

The Classification Decision Tree is a guide to help individuals understand what classification level their Institutional Information or IT Resource fits into. This decision tree should be treated as a guide to help individuals and not the ultimate decision maker for classifying assets. When a classification level is suggested it is strongly recommended to review the controls associated with that classification level to make sure the controls best meet the need to properly protect the Institutional Information and/or IT Resource. You can always reach out to for questions and additional guidance.

Classification Decision Tree Instructions:

Step 1: Understand what type of Institutional Information and IT Resources you have.

Know what type of Institutional Information you have:

  • Identify who is the Institutional Information Proprietor  and ask about the classification level for the Institutional Information. The Proprietor is the data owner and has the final decision on the data's classification level.
  • Ask the Proprietor about any special data handling requirements (e.g., compliance and protection requirements, etc.).
  • Investigate and understand what harmful things someone can do with the Institutional Information. Understand what the data elements of the Institutional Information can be used for.
  • Know if this Institutional Information is the master source of record.

Know what type of IT Resource you have:

  • Explore what type of Institutional Information the IT Resource processes, transmits, and stores.  
  • Investigate and identify what other assets this IT Resource communicates with.
  • Identify the level of impact or harm if the IT Resource was ever falsely modified or if someone gained unauthorized accessed.
  • Understand what IT Resources are considered Critical Infrastructure
  • Identify the IT Resource owner and ask about any special security control requirements.

Step 2: Walk through the Classification Decision Tree

Additional Details and Examples

Step 3: Review the protection level the Classification Decision Tree suggests.

Review the Protection Level description and the required controls for the suggested protection level. Make sure the controls associated with the protection level best meets the need to properly protect the Institutional Information and/or IT Resources.