To keep this simple, you can begin by identifying any vendor with access to sensitive or confidential information. The first category is for your customer data, but from there, you could use these categories:
Sensitive Company Information:Employee information retained by the company which is privileged, regulated, proprietary data, or highly-sensitive financial information.
Confidential Company Information:
Information is restricted to the individuals, management, or administrators; Unauthorized access could influence the company's operational/security effectiveness or cause material financial loss, provide a significant gain to a competitor, or cause a significant drop in customer confidence.
This category includes all data/documents that are sensitive or confidential, including company emails, employee compensation, or benefits. Network architecture, hardware/ server configurations, or user Ids. Trade secrets, financial data, or other information could compromise the company, impact our earnings or reduce our competitiveness.
I hope that is helpful, but I would love to hear from other members.Best,Hilary