About Us | Contact Us
View Cart

Data Classification Policy

By Dan Hadaway | Monday, August 30, 2010 - Leave a Comment

Sorting your data . . . .


ServIcons_ITAudit_01

Data Classification is a Proactive Control.

“It’s not as much about what to protect as it is about what hoops to jump through to protect it.”  

Sound IT Governance eventually includes developing a Data Inventory, and one of the factors to consider in such an inventory is Data Classification.  In a typical organization,

In a typical organization, the Information Security Officer will facilitate a Data Classification Process with each Data Owner on a periodic basis (like annually for Critical data, every three years for Internal Use information.)  A Data Classification Process is a business decision process established to ensure the appropriate security controls are assigned based on information values and sensitivity.

Most of our Clients have adopted four classifications by which to gauge information value or sensitivity:

1) Critical

Business processes and information assigned to the “Critical” classification are generally essential to Name of Financial Institution’s business, proprietary and/or trade secrets.  This would include information protected by law (such as GLBA or HIPAA), as well as information that, if disclosed to unauthorized individuals, could reduce Name of Financial Institution’s competitive advantage or cause other damage to Name of Financial Institution.

Information classified as “Critical” would include, but is not limited to, the following:

  • Assembled Non-public Customer Financial Information such as account numbers, social security numbers, account balances, and other information that is considered to be personally identifiable financial information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • An entire customer database.
  • Assembled personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • An entire file of employee health insurance applications.
  • Access codes or passwords that protect information systems and physically secured resources.
  • Any assembled information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of several employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Trade secrets, operating plans, marketing plans, business strategies, proprietary methods and product or system designs; that would damage the institution if revealed.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Records containing personal information of several shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Corporate litigation information “classified as Critical” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Critical” by members of Name of Financial Institution’s management team.

 

If any of these items can be found freely and openly in public records,Name of Financial Institution’s obligation to protect from disclosure is waived.  However, issues surrounding potential liability regarding integrity and reputation still apply.

2. Confidential 

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in harm to individuals causing monetary loss, criminal or civil liability, or significant damage to Name of Financial Institution’s reputation.  This information is of a private nature that an individual would not want disclosed to others.

Information classified as “Confidential” would include, but is not limited to, the following:

  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • One form with nonpublic customer financial information on it for one individual.
  • The Personally Identifiable Financial Information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • Personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • One health insurance application with one person’s health history on it.
  • Individual instances as opposed to assembled information or aggregated information.
  • Records containing personal information of individual employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Financial information that is not subject to public record such as payroll accounting.
  • Records containing personal information of individual customers that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, etc.
  • Any information that could be used to facilitate “identity theft” on one person, such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of individual shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Any personal information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Any written information that would be covered by the Genetic Information Nondiscrimination Act of 2008 (GINA) would be classified as confidential.
  • Floor plans, electrical wiring and powering diagrams.
  • Litigation papers not deemed “Critical” by a member of bank management.
  • Corporate litigation information “classified as Confidential” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Confidential” by members of Name of Financial Institution’s management team.

Internal Use

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in significant monetary loss, significant productivity loss or significant damage to Name of Financial Institution’s reputation.  The information is not to be shared with entities outside Name of Financial Institution unless it is authorized by management and in direct support of Name of Financial Institution’s business.

Internal Use information would include, but is not limited to, the following:

  • Internal operating procedures and internal business reports and memorandums.
  • Information that is subject to nondisclosure agreements with other organizations or individuals.
  • Name of Financial Institution’s internal phone directory.
  • Documented policies, standards, procedures and guidelines.
  • Aggregated Customer balance information, such as sum of all deposits for the day.
  • Reports listing just the customer names, but no other personally identifiable information.
  • Internal announcements and mailing distributions made by management.
  • Vendor information such as product and services pricing, specific quotes or contracts.
  • Floor plans, electrical wiring and powering diagrams.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.

 

Unrestricted/Public

Business processes and respective information used to support Name of Financial Institution’s business.  This is information that has been authorized to be made available to the public.  Although this information can be published to the general public, copyrighting must be considered.  Integrity of this information is relevant as well.

Unrestricted/Public information would include, but is not limited to, the following:

  • Information generated for public consumption such as service bulletins, marketing information, advertisements, annual reports etc.

The above information is copyrighted to infotex, but may be used freely if you are an infotex Client and have already signed a transfer of copyright agreement.


same_strip_012513


 

Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]