How to determine the sensitivity of information

Not all data is created equal — which is why it’s integral for organization’s security teams to proactively identify, assess and classify sensitive data. Even if a piece of data is categorized as “sensitive,” the legal, reputational and financial consequences of a breach may not always look the same between two pieces of sensitive data. There are varying degrees of data sensitivity.

For example, unauthorized access to a person’s employment contract will probably not result in the same ramifications as unauthorized access to a person’s social security number. While both pieces of data are considered sensitive data that must be protected, the aftermath of a breach or leak look very different.

One of the foundations to determining the sensitivity level of data is to think about how the loss of the confidentiality, integrity, or availability of that information would impact your organization in the case of an unauthorized disclosure. Here, we walk you through the types of sensitive data you need to be aware of, important security objectives to consider when assessing data, and what to do once you’ve determined the data’s level of sensitivity.

Types of sensitive data to look out for

Sensitive data can be a number of things. One of the easiest ways to think about it, if you’re ever on the fence, is to think of personal data you would not want to be openly shared with just anyone. There are, of course, federal laws and regulations that set specific guidelines on what types of sensitive data must be protected, like:

  • Financial information – Credit card numbers, bank account information, and social security numbers.
  • Government information – Any document that is classified as secret or top-secret, restricted, or can be considered a breach of confidentiality.
  • Business information – Accounting data, trade secrets, financial statements or accounts, and any sensitive information in business plans.
  • Personal information – Addresses, medical history, driver’s license numbers, or phone numbers.

All of the data above is information most people would not want shared with others who don’t have approval, and it’s the responsibility of the organization who has collected that data to protect it from unauthorized access.

Security objectives to help determine level of data sensitivity

The first step to creating any plan is determining goals and objectives. Regardless of the company or organization, most security teams share common goals when it comes to data security. Below, we’ve outlined the top three most common security objectives and how each can be used to determine the possible impact level of a potential data breach.

  1. Confidentiality: Preserve authorized restrictions on information access and disclosure, which includes protecting personal privacy and proprietary information.
  2. Integrity: Guard against improper information modification or destruction, which includes ensuring informations’ non‐repudiation and authenticity.
  3. Availability: Ensure timely and reliable access to and use of information.

A violation of any of these objectives can result in limited (low), serious (moderate) or severe (high) adverse effects on an organization’s operations, assets or individuals. So, as the potential impact level moves from low to high, the classification of that data’s sensitivity level should increase respectively.

The following table from the Federal Information Processing Standards (FIPS) publication 199, published by the National Institute of Standards and Technology (NIST), provides a framework for determining the impact that can be applied to the sensitivity of information.

Table 1 summarizes the potential impact definitions for each security objective - confidentiality, integrity, and availability.

Creating a data classification policy to determine data sensitivity impact level

Data classification is a fundamental step to protecting proprietary information. Since various pieces of data have varying levels of sensitivity, there are different levels of protection and unique procedures for remediation. If you play a key role in your company’s data security, having an understanding of the level of sensitivity required for each piece of data is a crucial piece of the data security puzzle.

As a general rule of thumb, there should be a minimum of four data classification levels.

  1. Public – What data is fine to share with the public? Anything that is not personal or sensitive, such as a person’s name. This means that there would be very little to no risk if this data were accessed. This type of information likely does not need to be encrypted or have major protection.
  2. Internal – This is data that is not meant for public disclosure but also has low security requirements. Some examples of internal data are a company’s sales playbook or organizational chart. While an organization wouldn’t want this data leak and may suffer some short-term reputational embarrassment, unauthorized disclosure of this information wouldn’t result in severe non-compliance repercussions.
  3. Confidential – Access to this data would cause a moderate risk to the person or organization affected. The consequences are greater than short-term embarrassment and could have a negative impact on company operations or long-standing reputation.
  4. Restricted – This is the highest level of sensitive data that if compromised, could put an organization at great financial, legal, regulatory and reputational risk. Some examples of this include customers’ Personally Identifiable Information (PII), Protected Health Information (PHI) and credit card numbers.

Many data security policies have been created and adapted across the business world to help protect organizations and consumers. Various companies and agencies have in-house security policies as well. There are several industries that must take extra precaution when identifying and classifying sensitive data, either because of the volume of sensitive data processed or industry-specific laws and regulations they must adhere to. For instance, the organizations in the healthcare industry have specific legal acts and policies they must be in compliance with, like HIPAA.

When it comes to managing your company’s data lifecycle and adhering to compliance laws and regulations, determining the level of sensitivity and classifying data is an integral step in the process. At Spirion, we are here to help protect and secure business’ and consumer’s sensitive data with data classification tools.

Contact us today to see how we can help your organization with data discovery and classification to start protecting data and minimizing the risk of a breach.

Want to keep digging?

Data classification is paramount. Regulations, like CCPA and GDPR, now require it. In this white paper, learn how data classification has moved from a nice-to-have to a necessity in data privacy management and why you should expect data protection software to have automated data classification capabilities.

Download now

Related Blog Posts

Blog Post
Data classification policies: Should your business have one?
Blog Post
How to identify types of sensitive data
Blog Post
The Analyst View: Take control of your unruly data with privacy-preserving classification
Blog Post
Automating Data Discovery and Data Classification for Enhanced Privacy
Blog Post
Classifying Data With Purpose
Blog Post
Classifying Data Processing