About Us | Contact Us
View Cart

Data Classification Policy

By Dan Hadaway | Monday, August 30, 2010 - Leave a Comment

Sorting your data . . . .


ServIcons_ITAudit_01

Data Classification is a Proactive Control.

“It’s not as much about what to protect as it is about what hoops to jump through to protect it.”  

Sound IT Governance eventually includes developing a Data Inventory, and one of the factors to consider in such an inventory is Data Classification.  In a typical organization,

In a typical organization, the Information Security Officer will facilitate a Data Classification Process with each Data Owner on a periodic basis (like annually for Critical data, every three years for Internal Use information.)  A Data Classification Process is a business decision process established to ensure the appropriate security controls are assigned based on information values and sensitivity.

Most of our Clients have adopted four classifications by which to gauge information value or sensitivity:

1) Critical

Business processes and information assigned to the “Critical” classification are generally essential to Name of Financial Institution’s business, proprietary and/or trade secrets.  This would include information protected by law (such as GLBA or HIPAA), as well as information that, if disclosed to unauthorized individuals, could reduce Name of Financial Institution’s competitive advantage or cause other damage to Name of Financial Institution.

Information classified as “Critical” would include, but is not limited to, the following:

  • Assembled Non-public Customer Financial Information such as account numbers, social security numbers, account balances, and other information that is considered to be personally identifiable financial information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • An entire customer database.
  • Assembled personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • An entire file of employee health insurance applications.
  • Access codes or passwords that protect information systems and physically secured resources.
  • Any assembled information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of several employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Trade secrets, operating plans, marketing plans, business strategies, proprietary methods and product or system designs; that would damage the institution if revealed.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Records containing personal information of several shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Corporate litigation information “classified as Critical” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Critical” by members of Name of Financial Institution’s management team.

 

If any of these items can be found freely and openly in public records,Name of Financial Institution’s obligation to protect from disclosure is waived.  However, issues surrounding potential liability regarding integrity and reputation still apply.

2. Confidential 

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in harm to individuals causing monetary loss, criminal or civil liability, or significant damage to Name of Financial Institution’s reputation.  This information is of a private nature that an individual would not want disclosed to others.

Information classified as “Confidential” would include, but is not limited to, the following:

  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • One form with nonpublic customer financial information on it for one individual.
  • The Personally Identifiable Financial Information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • Personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • One health insurance application with one person’s health history on it.
  • Individual instances as opposed to assembled information or aggregated information.
  • Records containing personal information of individual employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Financial information that is not subject to public record such as payroll accounting.
  • Records containing personal information of individual customers that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, etc.
  • Any information that could be used to facilitate “identity theft” on one person, such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of individual shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Any personal information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Any written information that would be covered by the Genetic Information Nondiscrimination Act of 2008 (GINA) would be classified as confidential.
  • Floor plans, electrical wiring and powering diagrams.
  • Litigation papers not deemed “Critical” by a member of bank management.
  • Corporate litigation information “classified as Confidential” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Confidential” by members of Name of Financial Institution’s management team.

Internal Use

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in significant monetary loss, significant productivity loss or significant damage to Name of Financial Institution’s reputation.  The information is not to be shared with entities outside Name of Financial Institution unless it is authorized by management and in direct support of Name of Financial Institution’s business.

Internal Use information would include, but is not limited to, the following:

  • Internal operating procedures and internal business reports and memorandums.
  • Information that is subject to nondisclosure agreements with other organizations or individuals.
  • Name of Financial Institution’s internal phone directory.
  • Documented policies, standards, procedures and guidelines.
  • Aggregated Customer balance information, such as sum of all deposits for the day.
  • Reports listing just the customer names, but no other personally identifiable information.
  • Internal announcements and mailing distributions made by management.
  • Vendor information such as product and services pricing, specific quotes or contracts.
  • Floor plans, electrical wiring and powering diagrams.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.

 

Unrestricted/Public

Business processes and respective information used to support Name of Financial Institution’s business.  This is information that has been authorized to be made available to the public.  Although this information can be published to the general public, copyrighting must be considered.  Integrity of this information is relevant as well.

Unrestricted/Public information would include, but is not limited to, the following:

  • Information generated for public consumption such as service bulletins, marketing information, advertisements, annual reports etc.

The above information is copyrighted to infotex, but may be used freely if you are an infotex Client and have already signed a transfer of copyright agreement.


same_strip_012513


 

Latest News
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]