Occam’s razor states, “All things being equal, the simplest solution tends to be the best one.” When this is applied to data classification, making everything private and confidential sounds like the best option. The best policy I’ve seen says that all bank information (customer information, policies, procedures, contact lists, employee numbers, network diagrams etc.) is not to be shared with anyone. This saves the bank time and resources by not trying to define what can be shared within the bank or with outside parties and just says that everything is private and confidential to the bank. But more importantly it prevents people with malicious intent from getting information that could be useful to socially engineer or hack into bank systems. Some banks would be surprised to see how much damage a social engineer could do with just an employee contact list., like calling around until he can finagle a password out of an employee.
Some other data classification policies rank information according to Top Secret, Confidentiality, Proprietary, Internal use and Public and have to take time to classify every document and decide who can access it. But this takes a lot of effort to identify every new document that comes into the bank. Why not just control access to these documents with internal controls and say that it all has the same classification? This way your customers’ privacy is protected, you have a low-maintenance data classification policy and you have saved resources.
Some banks are already saying that all bank information is private, but do yourself a favor and make you examiners happy by putting it on paper, then don’t let anyone outside the bank see it.