1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and National Museum of American History.

Related content

Data sensitivity classification

Objective • To classify data as to "sensitivity," in order to assure appropriate security measures throughout the lifecycle of organizational information and information processing facilities.

Applicability • Data sensitivity classification should occur for all significant information collections of the organization, and for the information processing facilities used to access, store or transmit that information.

Sensitivity criteria • Sensitivity classification should be based on confidentiality, integrity and availability dimensions of the data relevant to all stakeholders. This could include consideration of:

external legal-regulatory-certificatory and contractual requirements for information;
operational and other internal information requirements of the organization;
likely human and non-human threats to this information and any information processing facilities used to access, store or transmit it;
countermeasures in place to meet these threats;
vulnerabilities that remain despite countermeasures; and
any other risks or benefits considered relevant by the organization.

Sensitivity classification level • Data should normally be assigned a sensitivity classification level that reflects the most restrictive rating for which it qualifies on any confidentiality, integrity or availability criterion. Exceptions to this rule should be noted and explained. See Data sensitivity classification matrix below.

Sensitivity classification responsibilities • Data owners/stewards should provide a data sensitivity classification assessment based on their understanding of the applicable criteria. Data owners/stewards may request -- or the organization may require -- an independent assessment of data sensitivity classification.

Sensitivity classification review • Data owners/stewards should review the accuracy and adequacy of data sensitivity classifications at appropriate intervals. The organization may also require independent reviews.

Documentation and historical record • Documentation for data collections and systems should include current sensitivity classification and, where relevant, past sensitivity classifications and the reason(s) for changes.

Data sensitivity classification matrix
	Low sensitivity rating	Moderate sensitivity rating	High sensitivity rating
Externally-imposed requirements	None.	Contractual obligation to data subjects or to another organization for moderate data confidentiality, integrity or availability protections.	Statutory, regulatory or private certificatory requirement for high level of confidentiality, integrity or availability protections (e.g., AHCA, FDA, FERPA, GLBA, HIPAA, JCAHO, NIH, PCI); or contractual obligation to data subjects or another organization for high-level of data protections. Some types of data within this category may require added protection levels reflecting "special status" (e.g. certain kinds of health data covered by HIPAA and state laws)
Internally-imposed requirements	None.	Organizational (internal policy) requirement for some data confidentiality, integrity or availability protections. May be based on risks to: continuity of operations financial viability reputation	Organizational (internal policy) requirement for high data confidentiality, integrity or availability protections. May be based on risks to: continuity of operations financial viability reputation
Risks to operational continuity	Low or none.	Moderate.	High.
Risks to financial viability	Low or none.	Moderate.	High.
Risks to reputation and "good will"	Low or none.	Moderate.	High.
Civil (tort) and criminal risks	Low or none.	Moderate.	High.
Threat environment risk (capabilities and, if human, intentions of likely threats)	Low or none.	Moderate.	High.
Intangible risks that fall outside of other categories	Low or none.	Moderate.	High.
Data examples	Most "public" data of an organization: most public web site content information in the public domain business contact (directory) information blog and wiki postings some organizational email (e.g., broadcast notices)	"Internal" data of an organization that is non-public: some public web site content (particularly if high availability is required) most email content limited-distribution contact (directory) information less-sensitive operational and financial data of the organization Intranet	Almost everything that is protected by statute or regulation: identifiable clinical (health) data identifiable research data student transcripts identifiable personal financial data (including credit card numbers, bank accounts) more-sensitive operational and financial data of the organization restricted-use identifiers (e.g., social security numbers)
Access security	No requirement.	Authentication and access controls required, but set of permitted users may be large.	Authentication required, possibly with multi-factor process. Set of permitted users is usually small. Need-to-know (a.k.a., minimum necessary) access enforced by strong access controls.
Storage security	No requirement. Backups or redundant storage recommended.	Backups or redundant storage required.	Backups or redundant storage required. Encrypted storage (and transfer to storage) recommended. Encrypted storage particularly appropriate for mobile devices (or non-mobile devices in less secure settings) for "special status" data.
Transmission security	No requirement.	Transmission protections recommended, including use of encryption (e.g., SSL/HTTPS).	Transmission protections required, including use of encryption for message confidentiality, integrity and non-repudiation.