Data/information yet to be classified or does not need a classification as it does not include any sensitive data.

This is the second level of classification. If leaked it can still cause a significant damage to a nation or a corporation.

This is applied mainly to government and military data. If leaks, it can cause grave damage to an entire nation.

If leaked, it can still cause a certain level of damage to a nation or a corporation.

This type of data does not cause damage to a nation, but can affect people or entities. Health Information is a good example.

The general users who are using the systems. This is the weakest link. Therefore, they must be informed and taught about the data and protection specifically. They are responsible for complying with the policies, standards, procedures, etc. If they fail to meet the policies, they have to bear the consequences. The management must educate the users about penalties.

A custodian is a role responsible for delegated tasks. The person has to perform the hands-on duties such as backing up data, running recovery simulations, apply patches, and configuration.

This is usually the management who is responsible for the security of the data they own or manage. They have to classify the data, label the data, and determine the retention, backup, disposal

requirements. The owners do the management operations, not the technical part.

Is responsible for the assets that hold the data, the computer hardware, and related technologies. He has to properly maintain these systems to the standards (patching, updating, configuring, etc.)

The top-level hierarchy who have the ultimate responsibility to initiate, implement a proper security program, fund the program, and ensure the organization follows.