How to Determine the Sensitivity of Information
What is Sensitive Data Classification?
Sensitive data can be a number of things. The easiest way to think about it is to think of personal data you would not want to be shared with just anyone. There are several common pieces of sensitive data:
- Financial information – credit card numbers, bank account information, and social security numbers.
- Government information – any document that is classified as secret or top-secret, restricted, or can be considered a breach of confidentiality.
- Business information – accounting data, trade secrets, financial statements or accounts, and any sensitive information in business plans.
- Personal information – addresses, medical history, driver’s license numbers, or phone numbers.
Any of these pieces of data are things you could not be comfortable in data sharing with someone who should not have access. Unfortunately, a data breach can occur leaving you feeling exposed and increases the risk of identity theft. Businesses are continually evolving protection protocols and regulations to ensure data protection.
Data Discovery and Sensitive Data Classification Security Measures
One way to try and determine how sensitive, specific data is, and therefore how it should be classified, is to think about how the loss of the confidentiality, integrity, or availability of that information or restricted data would impact your organization in the case of an unauthorised disclosure.
The following table is taken from the Federal Information Processing Standards (FIPS) publication 199 published by the National Institute of Standards and Technology (NIST). It provides a framework for determining the impact that can be applied to the sensitivity of information.
Sensitive Data Classification
Here are the three security objectives and how to determine the level of influence (low, moderate, or high):
Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Potential impact: The unauthorized disclosure of information could be expected to have a limited (low), serious (moderate), or severe/catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.
Integrity: Guarding against improper information modification or destruction, and includes ensuring information non‐repudiation and authenticity.
Potential impact: The unauthorized modification or destruction of information could be expected to have a limited (low), serious (moderate), or severe/catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.
Availability: Ensuring timely and reliable access to and use of information.
Potential impact: The disruption of access to or use of information or an information system could be expected to have a limited (low), serious (moderate), or severe/ catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.
(Source: National Institute of Standards and Technology “FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems”)
As the potential impact level moves from low to high, the sensitivity increases, and therefore, the classification level of data should become higher and more restrictive. If your classification schema ranges from public to top secret, for example, data with a low impact across the board might be classified as public, while data with a high impact in any one area might be considered top secret.
Once you’ve developed a framework for classifying data, you develop your business’s classification schema with additional business criteria and an understanding of your specific types of sensitive data.
Protecting Data with a Data Classification Policy to Determine Impact Level
- Data classification should be your first step in protecting proprietary information. Since various pieces of data have varying levels of sensitivity, there are different levels of protection. As someone who is in charge of data security for a business or an organization understanding the level of sensitivity required for protection is a crucial piece of the protection puzzle. As a general rule of thumb, there should be a minimum of three data classification levels. Public – what data is okay to share with the public? Anything that is not personal or sensitive such as a person’s name. This means that there would be very little to no risk if this data were accessed, this type of information likely does not need to be encrypted or have major protection.
- Restricted – this is the most sensitive data, meaning if someone were to hack into a database and access it, it would pose a risk to the person whose information it is. This could include anything that could lead to identity theft like credit card numbers or a social security number.
- Private and confidential – access to this data would cause a medium risk to the person affected. For example, this could include someone’s address. It allows someone to be aware of where someone lives. However, they would not have any more personal information on someone.
Many data security policies have been created and adapted across the business world to help protect the business and the consumer. Various companies and agencies have in-house security policies as well. Some of the most protected sensitive data is in the medical field, as medical organizations have many acts or policies to adhere to such as HIPPA. One of the most common ways of protecting sensitive data is through the use of data encryption. This changes the information from the clear or plain text to something that cannot be read without the ability of the decryption key. No one should be worried about sharing their personal data without explicit consent.
At Spirion we are here to help protect and secure the business’ and consumer’s sensitive data. Contact us today to see how we can help your organization with data discovery and classification to start protecting data and minimizing the risk of a breach. Let us be a part of your security policy.