Sorting your data . . . .

“It’s not as much about what to protect as it is about what hoops to jump through to protect it.”  

Sound IT Governance eventually includes developing a Data Inventory, and one of the factors to consider in such an inventory is Data Classification.  In a typical organization,

In a typical organization, the Information Security Officer will facilitate a Data Classification Process with each Data Owner on a periodic basis (like annually for Critical data, every three years for Internal Use information.)  A Data Classification Process is a business decision process established to ensure the appropriate security controls are assigned based on information values and sensitivity.

Most of our Clients have adopted four classifications by which to gauge information value or sensitivity:

1) Critical

Business processes and information assigned to the “Critical” classification are generally essential to Name of Financial Institution’s business, proprietary and/or trade secrets.  This would include information protected by law (such as GLBA or HIPAA), as well as information that, if disclosed to unauthorized individuals, could reduce Name of Financial Institution’s competitive advantage or cause other damage to Name of Financial Institution.

Information classified as “Critical” would include, but is not limited to, the following:

• Assembled Non-public Customer Financial Information such as account numbers, social security numbers, account balances, and other information that is considered to be personally identifiable financial information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
• An entire customer database.
• Assembled personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
• An entire file of employee health insurance applications.
• Access codes or passwords that protect information systems and physically secured resources.
• Any assembled information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
• Records containing personal information of several employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
• Trade secrets, operating plans, marketing plans, business strategies, proprietary methods and product or system designs; that would damage the institution if revealed.
• Information and business processes needed to support key lines of business.
• New technology research, descriptions of unique parts or materials, proprietary program software, etc.
• Records containing personal information of several shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
• Corporate litigation information “classified as Critical” by any member of Name of Financial Institution’s management team.
• Any information “labeled” as “Critical” by members of Name of Financial Institution’s management team.

If any of these items can be found freely and openly in public records,Name of Financial Institution’s obligation to protect from disclosure is waived.  However, issues surrounding potential liability regarding integrity and reputation still apply.

2. Confidential 

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in harm to individuals causing monetary loss, criminal or civil liability, or significant damage to Name of Financial Institution’s reputation.  This information is of a private nature that an individual would not want disclosed to others.

Information classified as “Confidential” would include, but is not limited to, the following:

• Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
• One form with nonpublic customer financial information on it for one individual.
• The Personally Identifiable Financial Information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
• Personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
• One health insurance application with one person’s health history on it.
• Individual instances as opposed to assembled information or aggregated information.
• Records containing personal information of individual employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
• Financial information that is not subject to public record such as payroll accounting.
• Records containing personal information of individual customers that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, etc.
• Any information that could be used to facilitate “identity theft” on one person, such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
• Records containing personal information of individual shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
• Any personal information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
• Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
• Information and business processes needed to support key lines of business.
• New technology research, descriptions of unique parts or materials, proprietary program software, etc.
• Any written information that would be covered by the Genetic Information Nondiscrimination Act of 2008 (GINA) would be classified as confidential.
• Floor plans, electrical wiring and powering diagrams.
• Litigation papers not deemed “Critical” by a member of bank management.
• Corporate litigation information “classified as Confidential” by any member of Name of Financial Institution’s management team.
• Any information “labeled” as “Confidential” by members of Name of Financial Institution’s management team.

Internal Use

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in significant monetary loss, significant productivity loss or significant damage to Name of Financial Institution’s reputation.  The information is not to be shared with entities outside Name of Financial Institution unless it is authorized by management and in direct support of Name of Financial Institution’s business.

Internal Use information would include, but is not limited to, the following:

• Internal operating procedures and internal business reports and memorandums.
• Information that is subject to nondisclosure agreements with other organizations or individuals.
• Name of Financial Institution’s internal phone directory.
• Documented policies, standards, procedures and guidelines.
• Aggregated Customer balance information, such as sum of all deposits for the day.
• Reports listing just the customer names, but no other personally identifiable information.
• Internal announcements and mailing distributions made by management.
• Vendor information such as product and services pricing, specific quotes or contracts.
• Floor plans, electrical wiring and powering diagrams.
• Information and business processes needed to support key lines of business.
• New technology research, descriptions of unique parts or materials, proprietary program software, etc.

Unrestricted/Public

Business processes and respective information used to support Name of Financial Institution’s business.  This is information that has been authorized to be made available to the public.  Although this information can be published to the general public, copyrighting must be considered.  Integrity of this information is relevant as well.

Unrestricted/Public information would include, but is not limited to, the following:

• Information generated for public consumption such as service bulletins, marketing information, advertisements, annual reports etc.

The above information is copyrighted to infotex, but may be used freely if you are an infotex Client and have already signed a transfer of copyright agreement.