About Us | Contact Us
View Cart

Data Classification Policy

By Dan Hadaway | Monday, August 30, 2010 - Leave a Comment

Sorting your data . . . .


ServIcons_ITAudit_01

Data Classification is a Proactive Control.

“It’s not as much about what to protect as it is about what hoops to jump through to protect it.”  

Sound IT Governance eventually includes developing a Data Inventory, and one of the factors to consider in such an inventory is Data Classification.  In a typical organization,

In a typical organization, the Information Security Officer will facilitate a Data Classification Process with each Data Owner on a periodic basis (like annually for Critical data, every three years for Internal Use information.)  A Data Classification Process is a business decision process established to ensure the appropriate security controls are assigned based on information values and sensitivity.

Most of our Clients have adopted four classifications by which to gauge information value or sensitivity:

1) Critical

Business processes and information assigned to the “Critical” classification are generally essential to Name of Financial Institution’s business, proprietary and/or trade secrets.  This would include information protected by law (such as GLBA or HIPAA), as well as information that, if disclosed to unauthorized individuals, could reduce Name of Financial Institution’s competitive advantage or cause other damage to Name of Financial Institution.

Information classified as “Critical” would include, but is not limited to, the following:

  • Assembled Non-public Customer Financial Information such as account numbers, social security numbers, account balances, and other information that is considered to be personally identifiable financial information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • An entire customer database.
  • Assembled personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • An entire file of employee health insurance applications.
  • Access codes or passwords that protect information systems and physically secured resources.
  • Any assembled information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of several employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Trade secrets, operating plans, marketing plans, business strategies, proprietary methods and product or system designs; that would damage the institution if revealed.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Records containing personal information of several shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Corporate litigation information “classified as Critical” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Critical” by members of Name of Financial Institution’s management team.

 

If any of these items can be found freely and openly in public records,Name of Financial Institution’s obligation to protect from disclosure is waived.  However, issues surrounding potential liability regarding integrity and reputation still apply.

2. Confidential 

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in harm to individuals causing monetary loss, criminal or civil liability, or significant damage to Name of Financial Institution’s reputation.  This information is of a private nature that an individual would not want disclosed to others.

Information classified as “Confidential” would include, but is not limited to, the following:

  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • One form with nonpublic customer financial information on it for one individual.
  • The Personally Identifiable Financial Information protected by federal law as outlined in Title V of the Gramm-Leach-Bliley Act, also known as GLBA.
  • Personally identifiable healthcare information protected by the federal law under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA.
  • One health insurance application with one person’s health history on it.
  • Individual instances as opposed to assembled information or aggregated information.
  • Records containing personal information of individual employees that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, salaries, etc.
  • Financial information that is not subject to public record such as payroll accounting.
  • Records containing personal information of individual customers that include names, addresses, phone numbers, marital status, performance appraisal ratings, date-of-birth, social security numbers, number of dependents, etc.
  • Any information that could be used to facilitate “identity theft” on one person, such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Records containing personal information of individual shareholders that include names, address, phone numbers, marital status, date-of-birth, social security numbers, number of dependents, etc.
  • Any personal information that could be used to facilitate “identity theft” such as credit card numbers, account numbers, driver license numbers, insurance records, etc.
  • Individual Personally Identifiable Information (as opposed to assembled, which would be classified as Critical).
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.
  • Any written information that would be covered by the Genetic Information Nondiscrimination Act of 2008 (GINA) would be classified as confidential.
  • Floor plans, electrical wiring and powering diagrams.
  • Litigation papers not deemed “Critical” by a member of bank management.
  • Corporate litigation information “classified as Confidential” by any member of Name of Financial Institution’s management team.
  • Any information “labeled” as “Confidential” by members of Name of Financial Institution’s management team.

Internal Use

Business processes and respective information that, if lost, disclosed, misused, or modified by unauthorized persons, might result in significant monetary loss, significant productivity loss or significant damage to Name of Financial Institution’s reputation.  The information is not to be shared with entities outside Name of Financial Institution unless it is authorized by management and in direct support of Name of Financial Institution’s business.

Internal Use information would include, but is not limited to, the following:

  • Internal operating procedures and internal business reports and memorandums.
  • Information that is subject to nondisclosure agreements with other organizations or individuals.
  • Name of Financial Institution’s internal phone directory.
  • Documented policies, standards, procedures and guidelines.
  • Aggregated Customer balance information, such as sum of all deposits for the day.
  • Reports listing just the customer names, but no other personally identifiable information.
  • Internal announcements and mailing distributions made by management.
  • Vendor information such as product and services pricing, specific quotes or contracts.
  • Floor plans, electrical wiring and powering diagrams.
  • Information and business processes needed to support key lines of business.
  • New technology research, descriptions of unique parts or materials, proprietary program software, etc.

 

Unrestricted/Public

Business processes and respective information used to support Name of Financial Institution’s business.  This is information that has been authorized to be made available to the public.  Although this information can be published to the general public, copyrighting must be considered.  Integrity of this information is relevant as well.

Unrestricted/Public information would include, but is not limited to, the following:

  • Information generated for public consumption such as service bulletins, marketing information, advertisements, annual reports etc.

The above information is copyrighted to infotex, but may be used freely if you are an infotex Client and have already signed a transfer of copyright agreement.


same_strip_012513


 

Latest News
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]