About Us | Contact Us
View Cart

Data Classification Policy

By Dan Hadaway | Monday, August 30, 2010 - Leave a Comment

Sorting your data . . . .


ServIcons_ITAudit_01

Data Classification is a Proactive Control.

“It’s not as much about what to protect as it is about what hoops to jump through to protect it.”  

Sound IT Governance eventually includes developing a Data Inventory, and one of the factors to consider in such an inventory is Data Classification.  In a typical organization,

In a typical organization, the Information Security Officer will facilitate a Data Classification Process with each Data Owner on a periodic basis (like annually for Critical data, every three years for Internal Use information.)  A Data Classification Process is a business decision process established to ensure the appropriate security controls are assigned based on information values and sensitivity.

Most of our Clients have adopted four classifications by which to gauge information value or sensitivity:

1) Critical

Business processes and information assigned to the “Critical” classification are generally essential to Name of Financial Institution’s business, proprietary and/or trade secrets.  This would include information protected by law (such as GLBA or HIPAA), as well as information that, if disclosed to unauthorized individuals, could reduce Name of Financial Institution’s competitive advantage or cause other damage to Name of Financial Institution.

Information classified as “Critical” would include, but is not limited to, the following:

  • Assembled Non-public Customer Financial Information such as account numbers, social security numbers, account balances, and other information that is considered to be personally identifiable financial information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • An entire customer database.
  • Assembled personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • An entire file of employee health insurance applications.
  • Access codes or passwords that protect information systems and physically secured resources.
  • Any assembled information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of several employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Trade secrets, operating plans, marketing plans, business strategies, proprietary methods and product or system designs; that would damage the institution if revealed.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Records containing personal information of several shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Corporate litigation information “classified as Critical” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Critical” by members of Name of Financial Institution’s management team.

 

If any of these items can be found freely and openly in public records,Name of Financial Institution’s obligation to protect from disclosure is waived.  However, issues surrounding potential liability regarding integrity and reputation still apply.

2. Confidential 

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in harm to individuals causing monetary loss, criminal or civil liability, or significant damage to Name of Financial Institution’s reputation.  This information is of a private nature that an individual would not want disclosed to others.

Information classified as “Confidential” would include, but is not limited to, the following:

  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • One form with nonpublic customer financial information on it for one individual.
  • The Personally Identifiable Financial Information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • Personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • One health insurance application with one person’s health history on it.
  • Individual instances as opposed to assembled information or aggregated information.
  • Records containing personal information of individual employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Financial information that is not subject to public record such as payroll accounting.
  • Records containing personal information of individual customers that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, etc.
  • Any information that could be used to facilitate “identity theft” on one person, such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of individual shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Any personal information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Any written information that would be covered by the Genetic Information Nondiscrimination Act of 2008 (GINA) would be classified as confidential.
  • Floor plans, electrical wiring and powering diagrams.
  • Litigation papers not deemed “Critical” by a member of bank management.
  • Corporate litigation information “classified as Confidential” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Confidential” by members of Name of Financial Institution’s management team.

Internal Use

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in significant monetary loss, significant productivity loss or significant damage to Name of Financial Institution’s reputation.  The information is not to be shared with entities outside Name of Financial Institution unless it is authorized by management and in direct support of Name of Financial Institution’s business.

Internal Use information would include, but is not limited to, the following:

  • Internal operating procedures and internal business reports and memorandums.
  • Information that is subject to nondisclosure agreements with other organizations or individuals.
  • Name of Financial Institution’s internal phone directory.
  • Documented policies, standards, procedures and guidelines.
  • Aggregated Customer balance information, such as sum of all deposits for the day.
  • Reports listing just the customer names, but no other personally identifiable information.
  • Internal announcements and mailing distributions made by management.
  • Vendor information such as product and services pricing, specific quotes or contracts.
  • Floor plans, electrical wiring and powering diagrams.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.

 

Unrestricted/Public

Business processes and respective information used to support Name of Financial Institution’s business.  This is information that has been authorized to be made available to the public.  Although this information can be published to the general public, copyrighting must be considered.  Integrity of this information is relevant as well.

Unrestricted/Public information would include, but is not limited to, the following:

  • Information generated for public consumption such as service bulletins, marketing information, advertisements, annual reports etc.

The above information is copyrighted to infotex, but may be used freely if you are an infotex Client and have already signed a transfer of copyright agreement.


same_strip_012513


 

Latest News
    Community Banking and their layers of security. . . Michael Hartke’s first post as Executive Vice President! Thinking back to my first talk to security professionals in community banking almost 10 years ago, the question continues to this day. First some background… infotex was moderating the Indiana Bankers Association Security Conference when one of the […]
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]