Classification Rubric

This is an initial set of guidelines to use when deciding on the classification of fields for API/SDK resources. The classification is used when generating audit events and will impact the content of the events.

Fields can be classified as secret, sensitive, or public. If a field is not classified, it is treated as secret. The classification is used by the filters/encrypt library along with a configurable filter operation. By default fields classified as secret will be redacted, fields classified as sensitive will be encrypted, and fields classified as public will be left un-modified. See the filters/encrypt package for more details.

• secret: This classification should be used for any field that contains information like tokens, keys, passwords.
• sensitive: This classification should be used for any field that contains information like personally identifiable information (PII), such as names of people, email addresses, etc.
• public: This classification should be use for any field that is not sensitive or secret.

Tag @jimlambrt and @jefferai in your PR if you are unsure about how to classify a field.