Data Classification policy - Risk management

Data classification is the process of organizing data into categories for its proper use and management. The purpose of data classification is to identify and protect information that is critical to the business. Data classification is a key element of risk management, as it helps businesses to identify and protect their most important assets.

Data Classification procedure

  • Data owners review each piece of data they are responsible for and determine its overall impact level, as follows:

  • If it matches any of the predefined types of restricted information listed in Appendix A, the data owner assigns it an overall impact level of “High”.

  • If it does not match any of the predefined types in Appendix A, the data owner should determine its information type and impact levels based on the guidance provided in Sections 5 and 6 of this document, and NIST 800-600 Volume 2. The highest of the three impact levels is the overall impact level.

  • If the information type and overall impact level still cannot be determined, the data owner must work with the data custodians to resolve the question.

  • The data owner assigns each piece of data a classification label based on the overall impact level:

  • Overall impact level    Classification label

    1. High    Restricted

    2. Moderate Confidential

    3. Low Public

  • The data owner records the classification label and overall impact level for each piece of data in the official data classification table, either in a database or on paper.

  • Data custodians apply appropriate security controls to protect each piece of data according to the classification label and overall impact level recorded in the official data classification table.

Data Classification Guideline

The table describes each type of information asset and details the impact of each of the three security objectives and specifies the impact levels and classification to be assigned to each type of asset.

Impact Level Determination

This table will help data owners determine the impact level for each piece of data by describing the security objectives you want to achieve and how failure to attain each objective would impact the organization.

assess the potential impact to the company of a loss of the confidentiality, integrity, or availability of a data asset that does not fall into any of the information types described in Section 5 and NIST 800-600 Volume 2.

Type of information

Types of Information that Must be Classified as “Restricted”

Authentication information

Authentication information is data used to prove the identity of an individual, system, or service. Examples include:

  • Passwords

  • Shared secrets

  • Cryptographic private keys

  • Hash tables

Electronic Protected Health Information (ePHI)

ePHI is defined as any protected health information (PHI) that is stored in or transmitted by electronic media. Electronic media includes computer hard drives as well as removable or transportable media, such as a magnetic tape or disk, optical disk, or digital memory card.

Transmission is the movement or exchange of information in electronic form.  Transmission media includes the internet, an extranet, leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media.

Payment Card Information (PCI)

Payment card information is defined as a credit card number in combination with one or more of the following data elements:

  • Cardholder name

  • Service code

  • Expiration date

  • CVC2, CVV2, or CID value

  • PIN or PIN block

  • Contents of a credit card’s magnetic stripe

Personally Identifiable Information (PII)

PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

  • Social security number

  • State-issued driver’s license number

  • State-issued identification card number

  • Financial account number in combination with a security code, access code, or password that would permit access to the account

  • Medical and/or health insurance information

We classify data into 3 categories based on its sensitivity.

  1. High sensitivity data - SSN, DOB, and details of credit file (We encrypt at field level for DB columns, and Files are encrypted using hardware security modules (HSMs)); all access is extensively logged and audited.

  2. Medium sensitivity data - Wage Information, Personal information (Name, Email, Address, etc) is also encrypted in transit and at rest.

  3. Logs and metadata - Audit-related information is stored in perpetuity and other logs are stored temporarily (deleted in 7 days). All logs are stored encrypted.