Data sensitivity classification

Objective • To classify data as to "sensitivity," in order to assure appropriate security measures throughout the lifecycle of organizational information and information processing facilities.

Applicability • Data sensitivity classification should occur for all significant information collections of the organization, and for the information processing facilities used to access, store or transmit that information.

Sensitivity criteria • Sensitivity classification should be based on confidentiality, integrity and availability dimensions of the data relevant to all stakeholders.  This could include consideration of:

  • external legal-regulatory-certificatory and contractual requirements for information;
  • operational and other internal information requirements of the organization;
  • likely human and non-human threats to this information and any information processing facilities used to access, store or transmit it;
  • countermeasures in place to meet these threats;
  • vulnerabilities that remain despite countermeasures; and
  • any other risks or benefits considered relevant by the organization.

Sensitivity classification level • Data should normally be assigned a sensitivity classification level that reflects the most restrictive rating for which it qualifies on any confidentiality, integrity or availability criterion.  Exceptions to this rule should be noted and explained.  See Data sensitivity classification matrix below. 

Sensitivity classification responsibilities • Data owners/stewards should provide a data sensitivity classification assessment based on their understanding of the applicable criteria.  Data owners/stewards may request -- or the organization may require -- an independent assessment of data sensitivity classification. 

Sensitivity classification review • Data owners/stewards should review the accuracy and adequacy of data sensitivity classifications at appropriate intervals.  The organization may also require independent reviews.

Documentation and historical record • Documentation for data collections and systems should include current sensitivity classification and, where relevant, past sensitivity classifications and the reason(s) for changes. 
 

Data sensitivity classification matrix

 

Low sensitivity rating

Moderate sensitivity rating

High sensitivity rating

Externally-imposed requirements

None.

Contractual obligation to data subjects or to another organization for moderate data confidentiality, integrity or availability protections.

Statutory, regulatory or private certificatory requirement for high level of confidentiality, integrity or availability protections (e.g., AHCA, FDA, FERPA, GLBA, HIPAA, JCAHO, NIH, PCI); or contractual obligation to data subjects or another organization for high-level of data protections.  Some types of data within this category may require added protection levels reflecting "special status" (e.g. certain kinds of health data covered by HIPAA and state laws)

Internally-imposed requirements

None.

Organizational (internal policy) requirement for some data confidentiality, integrity or availability protections.  May be based on risks to:

  • continuity of operations
  • financial viability
  • reputation

Organizational (internal policy) requirement for high data confidentiality, integrity or availability protections.  May be based on risks to:

  • continuity of operations
  • financial viability
  • reputation

Risks to operational continuity

Low or none.

Moderate.

High.

Risks to financial viability

Low or none.

Moderate.

High.

Risks to reputation and "good will"

Low or none.

Moderate.

High.

Civil (tort) and criminal risks

Low or none.

Moderate.

High.

Threat environment risk (capabilities and, if human, intentions of likely threats)

Low or none.

Moderate.

High.

Intangible risks that fall outside of other categories

Low or none.

Moderate.

High.

Data examples

Most "public" data of an organization:

  • most public web site content
  • information in the public domain
  • business contact (directory) information
  • blog and wiki postings
  • some organizational email (e.g., broadcast notices)

"Internal" data of an organization that is non-public:

  • some public web site content (particularly if high availability is required)
  • most email content
  • limited-distribution contact (directory) information
  • less-sensitive operational and financial data of the organization Intranet

Almost everything that is protected by statute or regulation:

  • identifiable clinical (health) data
  • identifiable research data
  • student transcripts
  • identifiable personal financial data (including credit card numbers, bank accounts)
  • more-sensitive operational and financial data of the organization
  • restricted-use identifiers (e.g., social security numbers)

Access security

No requirement.

Authentication and access controls required, but set of permitted users may be large.

Authentication required, possibly with multi-factor process.  Set of permitted users is usually small.  Need-to-know (a.k.a., minimum necessary) access enforced by strong access controls.

Storage security

No requirement.  Backups or redundant storage recommended.

Backups or redundant storage required.

Backups or redundant storage required.  Encrypted storage (and transfer to storage) recommended. Encrypted storage particularly appropriate for mobile devices (or non-mobile devices in less secure settings) for "special status" data.

Transmission security

No requirement.

Transmission protections recommended, including use of encryption (e.g., SSL/HTTPS).

Transmission protections required, including use of encryption for message confidentiality, integrity and non-repudiation.