HomeGuidesApplication & Product Security › AD-05
AD-05 Application & Product Security 6% of OML score

Is sensitive or important data clearly identified as such?

Do you have a clear, documented way to mark which data in your business is sensitive or important—like customer financial info, employee records, or trade secrets? And do your employees know which data needs extra protection when they handle it?

Why This Matters to Your Business

Without labeling sensitive data, your team treats customer bank details the same as a public price list—it gets emailed carelessly, stored on unsecured phones, or left visible on screens. When a Delhi-based garment exporter's unlabeled customer payment data was accessed by a junior staffer who then lost their laptop, they had no audit trail, faced customer lawsuits, and lost three major international buyers. A regulatory audit will also flag you as non-compliant with DPDP Act if you cannot prove you identified and protected personal data. Unlabeled data breaches also cost more to investigate because you don't know what was actually stolen.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no system at all for marking data as sensitive. Employees don't know which files or databases need special care, and everything is treated the same.

Level 1
Initial

You've told employees verbally which data is sensitive, but there's no written list or marking system. It depends on who you ask and when.

Level 2
Developing

You have a written Data Classification Policy that divides data into categories (public, internal, confidential, restricted). Some folders and databases are labeled, but inconsistently.

Level 3
Defined

All data sources (files, databases, email folders) are clearly labeled with sensitivity tags. New data is automatically classified, and employees are trained annually on what each label means and how to handle it.

Level 4
Managed

Your system automatically identifies and tags sensitive data using keywords and patterns. Labels are enforced through access controls—highly sensitive data is only accessible to approved staff, and systems log who accesses it.

Level 5
Optimised

Your system continuously scans for unclassified sensitive data and re-classifies as business needs change. Sensitivity labels are integrated into your DLP tools, email, file storage, and databases. You track classification metrics and audit them quarterly.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Hold a 2-hour workshop with department heads (finance, HR, ops, sales) to list what data your company has and agree on what counts as sensitive (e.g., GST numbers, employee SSNs, customer card details, product costs). Write it down in simple language. Owner or IT Manager 1 day
1 → 2 Create a one-page Data Classification Policy defining three categories: Public (website info, published rates), Internal (staff directories, meeting notes), Confidential (customer lists, financial records, employee files). Circulate to all staff with examples. Owner or Compliance Officer 3-5 days
2 → 3 Physically label all file folders, databases, and shared drives with colored stickers or digital tags (e.g., [CONFIDENTIAL] in folder names). Create a simple file-naming standard: all confidential files start with [CONF]. Train all staff in a 30-minute session on the labels and what each means for how they handle the data. IT Manager with Owner approval 2-3 weeks
3 → 4 Set up automated classification: configure your email system to scan outgoing emails for keywords (e.g., customer name + account number) and warn before sending outside. Configure file storage (Google Drive, OneDrive, or NAS) to auto-tag files based on folder location. Create access control rules—confidential data folders only open to relevant staff, with audit logs. IT Manager 4-6 weeks
4 → 5 Deploy a Data Loss Prevention (DLP) tool that scans all data flows (email, USB, cloud uploads, print) and blocks or warns on sensitive data leaving the organization. Create a quarterly review cycle to re-classify data based on business changes and audit classification accuracy. IT Manager with external consultant if needed Ongoing (quarterly audits, continuous monitoring)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Written Data Classification Policy document with clear definitions of sensitivity levels (e.g., Public, Internal, Confidential, Restricted) and examples for each
  • Inventory or spreadsheet listing all data repositories (databases, file servers, email, cloud folders, laptops) and their assigned sensitivity label
  • Screenshots or documentation showing file/folder naming conventions or digital tags (e.g., folder names prefixed with [CONF], metadata tags in file properties)
  • Training record or sign-off sheet showing all staff have been trained on data classification and what to do with each sensitivity level
  • Access control documentation or screenshots showing that confidential data folders/databases restrict access to authorized users only, with a log of who has access
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your Data Classification Policy. How do you decide if data is sensitive?"
  • "Walk me through your file system. How would I know which folders contain sensitive data without opening them?"
  • "Give me an example of a recent sensitive data breach or near-miss. How did you identify it was sensitive data involved?"
  • "How do you ensure new data collected (e.g., a new customer list) gets classified correctly from day one?"
  • "If I asked a random employee what to do with a spreadsheet marked [CONFIDENTIAL], what would they tell me? Can you show me evidence they were trained?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Data classification and DLP (prevent sensitive data from leaving the organization via email or USB) Google Drive with sensitivity labels built-in (G Suite); Microsoft Purview built into Microsoft 365; open-source OpenDLP Zscaler DLP (₹8–15 lakhs/year for SMEs); Forcepoint DLP (₹10–20 lakhs/year); Varonis Data Security Platform (₹12–25 lakhs/year)
Secure file storage with automatic classification and access control Nextcloud (self-hosted, one-time setup cost ~₹20k); Google Drive with folder permissions Microsoft OneDrive with sensitivity labels (included in Microsoft 365, ~₹3–5k per user/year); Tresorit (₹8–15k/year for small team)
Email encryption and sensitive data detection in outgoing mail Gmail built-in confidential mode; self-hosted mail server with open-source filters (SpamAssassin) Proofpoint Email Protection (₹5–10 lakhs/year); Mimecast (₹6–12 lakhs/year); Cisco Secure Email (₹8–15 lakhs/year)
Automated sensitive data discovery and scanning across all systems Open-source tools like Apache NiFi or Splunk for log analysis; manual quarterly scans with scripts Imperva Data Discovery & Classification (₹15–30 lakhs/year); Talend Data Quality (₹10–20 lakhs/year)
Create, share, and track training records on data classification policy Google Forms for acknowledgment; simple spreadsheet to log training attendance Coursera or LinkedIn Learning corporate packages (₹50k–2 lakhs/year for 10–50 staff); TalentLMS (₹5–10k/year)
🛡
How This Makes You More Resilient
When data is clearly labeled, your team stops treating customer financial info like a grocery list—they handle it carefully, don't email it unnecessarily, and report suspicious access. This cuts the cost and severity of a breach because less sensitive data is exposed. You also recover faster from incidents because you know exactly what was at risk and can notify only the right customers, reducing legal liability and reputation damage.
⚠️
Common Pitfalls in India
  • Creating a Data Classification Policy but not enforcing it—files remain unlabeled, and staff default to treating everything as public. Solution: Assign one person (even part-time) to audit and label data quarterly, and tie it to performance reviews.
  • Over-classifying everything as 'Confidential' out of fear, making the classification system useless—staff ignore labels because 99% of data is marked sensitive. Solution: Be strict and specific; only mark data sensitive if it truly needs protection (customer PII, financial records, trade secrets, employee SSNs).
  • Forgetting to label data on personal laptops, USB drives, and cloud personal accounts (e.g., personal Google Drive or WhatsApp for work). Solution: Include a clause in employee contracts requiring all work data to be stored on company systems, and conduct spot audits of employee devices quarterly.
  • Not updating classifications as business needs change—old customer data remains marked highly sensitive long after the customer relationship ends. Solution: Set a quarterly review schedule to de-classify data that no longer needs protection.
  • Assuming vendors and third-party contractors know your classification system—they store data however they want. Solution: Include data classification requirements in vendor contracts and audit vendor practices annually.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 6 (purpose limitation), Section 8 (storage limitation), Section 9 (processing by processor) – organizations must identify and protect personal data; Section 32 (security measures) requires classification of personal data
CERT-In 2022 Guideline 3 (classification of critical information assets and data) – organizations must categorize and mark sensitive/critical data
ISO 27001:2022 Clause A.5.2 (information classification); Annex A: A.5.2 (classify information based on sensitivity and criticality)
NIST CSF 2.0 Govern Function: GV.DM-01 (Data Management Policy and Procedures), Protect Function: PR.DS-01 (Data Security – classification and handling)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →