Classified data is data that has been tagged with information that identifies it by specific attributes that allow people and technologies to treat it in a specific way. So, what makes data sensitive and how can you determine how sensitive it is and when and how to classify it? Read on to find out.
Understanding What Makes Data Sensitive?
Sensitive Data is information which, if accessed by an adversary, would create liability. While this statement may seem self-evident, it is worth analyzing its components:
- Information of any type may become sensitive data. Personally identifiable information (PII) such as a Social Security number, protected health information (PHI), payment card industry (PCI) data, and other specifically regulated information are examples of common sensitive data. Intellectual property, trade secrets, and company financial records are also sensitive data. While they may not be governed by regulations, the fact that such data is highly valuable classifies it as sensitive.
- Determine if an unauthorized individual can cause limited, serious, or severe harm to individuals, assets or an organization’s day-to-day operations as a result of disclosing data?
- Does the disclosure of confidential data violate laws, executive orders, or agency regulations (i.e., HIPPA or Privacy laws)?
- Could the data be used to aid identity theft?
- How would unauthorized access, modification or destruction of the data impact individuals or organizations?
- Could the data be used to make a potentially life-threatening decision?
- Do others rely on the disclosed data to make a time-sensitive decision (i.e. sensing data for earthquakes, floods, etc.)?
- Adversaries are not just the proverbial bad guys wearing masks. They may be trusted insiders engaged in industrial espionage, hackers, or individuals defined by the company as “unauthorized” people, even if they’re innocent employees in good standing. An accidental data breach is not uncommon and can happen to any business from enterprises to government agencies by exposing confidential information over the internet.
There are many ways that a data breach can happen; weak passwords, stolen computer systems or mobile devices, logging into networks that capture login credentials and email phishing.
- Adversaries use a variety of methods to access sensitive data, but it doesn’t necessarily mean the data is taken; it may simply be viewed. For example, access methods may include social engineering, theft, hacking, or simple Internet searches for old, forgotten data. Adversaries often take advantage of under‐trained, over‐burdened, or well intentioned but not security minded employees.
- Liability takes many forms. Regulated data might carry legal fines for mishandling. Proprietary information in the wrong hands can devastate stock value. Breached client information can spawn lawsuits, tarnish your company’s reputation, and reduce goodwill. And mishandling of sensitive information can result in embarrassment for clients and loss of future revenue.
Tips to determine if data is classified as sensitive
How to classify sensitive data
When classifying sensitive data, it involves defining the actual type of data and its integrity with tables and tags. The protection level of sensitivity is based on the many levels of importance, and confidentiality. Classification levels range from Restricted, Private or Public. Public being the less sensitive and restricted being the most sensitive data and needing the highest security classification.
How is sensitive data breached?
Protect sensitive data liability