Techniques are provided for a data security system that includes two mappings: a first mapping that maps a security policy to sensitive type and a second mapping that maps the sensitive type to one or more data sets. The sensitive type indicates a class of sensitive data. Example data sets include columns, tables, tablespaces, files, and directories in a file system. Because a security policy is not tightly coupled to a target data set, the security policy becomes data-agnostic, portable, and reusable. Also, a security policy may be objectless in that, at some point in time, the security policy is not associated with any data set. A security policy may also be multifunctional in that the security policy may include multiple security features or requirements. A security policy may also be exhaustive in that all necessary security requirements prescribed for a data set can be included in the security policy.