Here are a number of classifications which may be useful.
Public DataThis includes information that is published to a website and is available to the general public. Examples are general product or company information. The main security drivers here are probably corporate governance rules and general good web security practices (OWASP Top 10). Confidentiality is not really an issue as you want people to see it. However, the integrity is important. Malicious users should not change it.
Public data is usually either purely static or database driven. For static html the main risk to be addressed is OWASP Top 10 - Security Misconfiguration (A6). For a database driven website, the main risks are the standard injection and validation issues OWASP Top 10 A1, A2 etc..
Personal DataIf your website processes names and addresses, then your application will need to comply with local Personal Data legislation. This is probably the most common type of classification. EU countries have implemented the European Data Directive (Directive 95/46/EC) into national legislation. The Information Commissioner's Office is responsible in the UK. In Ireland it is managed by the Data Protection Commissioner). Other EU countries will have corresponding bodies.
In the US state of Massachusetts the relevant law is "201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH" which is in force since March 2010.
You should become familiar with the relevant data protection legislation in your jurisdiction.
Payment CardsIf you "store, process or transmit" payment card information your application will need to comply with the Payment Card Industry - Data Security Standard (PCSI DSS ). Requirement 6 is the main one for web application security, although many of the requirements apply.
Intellectual PropertyFor intellectual property, the main security driver will be corporate governance rules and internal organisation standards.
SummaryThose are just some data classifications which you can use in determining what are the security requirements that your application needs to meet. There are many more depending on the sector that you are in.
Your company or organisation may have internal standards or policies that your application will need to comply with. In fact, this is the first item you should research. This applies especially to larger or multinational organisations.
To summarise, if you are starting out on a new web development project, one of the first things you should do is to classify the type of data that your application will be processing. The classification will help you identify the security requirements that your application will need to meet.
Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot