Most organizations will set out several categories for
            information classification, using, for example, terms like
            business private, confidential, proprietary, etc. It is essential to
            ensure that a suitable number of rankings are chosen. Too many
            could result in confusion between the difference in one or
            another.  Too few and information that should be protected at
            different levels are grouped into the same category.

            Each category of protection should have clear labeling and
            handling procedures. Every person that accesses information
            must know how to handle the data according to the policies and
            procedures. This requirement includes how the information can
            be shared, must be shredded, must be locked up, etc.

            The information owner is responsible for ensuring that the
            procedures are being followed and that the information is being
            protected on all systems and at all times. This means working
            with system owners and departments to ensure that the data is
            being protected. This includes while it is on another network or
            even shared with business partners or outsourced service
            suppliers. The original information owner is responsible for the
            information when shared with another service provider or other
            organization unless that service provider explicitly and legally
            accepts responsibility for the info.

            At some point in time, even protected information may be
            relegated to a lower level of classification or declassified
            altogether. There should be procedures in place to review the
            classification levels periodically. When classified information is
            no longer needed, it must be destroyed in a secure manner -
            shredding, physical destruction of magnetic media, etc.