Data Classifications – SY0-601 CompTIA Security+ : 5.5

Data labels can assist with security and privacy. In this video, you’ll learn about data types, data classifications, and how to properly manage these labels.

We often talk about the sensitivity of data, but the reality is that different types of data have different levels of sensitivity. For example, let’s take the difference between a license tag number, and your private health care information. Your license tag number is a relatively sensitive piece of information, but it is something that is visible to everyone who’s driving by your car. Your health records though, are much more sensitive. They’re very private, and it’s something that other people should not normally have access to.

This means that if we have two applications, one that handles license tag renewal, and another one that handles health insurance, that we would be applying a completely different type of security to both of those applications. There would probably be a completely different set of permissions between those two applications, because it’s using such different data. There may also be a completely different process to view this different type of information.

The local government motor vehicle department can probably search through all of the license tag numbers, but they would not have access to all of your medical information. And in the case of medical records or financial information, there may be a completely different set of security controls associated with viewing that information. It may be on a separate network, we may have other firewalls, that data may be encrypted, and we may be applying a completely different set of security policies to your health care information than what we apply to your license tag number.

If you’re working with data that is proprietary, that means that information is private and is the property of an organization. This often includes trade secrets and other information that you would not want to get out to third parties or your competition. Proprietary data is often unique to an organization, and is not data that you would find somewhere else. Data that is stored as PII, is Personally Identifiable Information. This is any type of data that could be tied back to an individual or person.

This is information like your name, your address, your telephone number, biometric information, or anything else that can be associated with you. And if you work in health care, then you also work with PHI, which is Protected Health Information. These are health records associated with an individual, and they obviously have a very high level of privacy associated with them. So information about your health status, details of your health insurance, or anything associated with your health records, would be PHI.

We often put labels on data. These classifications can take many different forms, but here are some of the most popular. We can identify data as public data, or what you might call unclassified data, which means that anyone would have access to this information. If there’s data that is restricted, or should only be shown to certain individuals, then we may want to label this information differently. So we would label this data as private, classified, restricted, internal use only, or any other classification that shows that this data should remain private.

Perhaps the next tier above private or classified information, would be sensitive information. This might be intellectual property, or secrets of a company, it could be your personally identifiable information, such as your name or address, or your protected health care information. If there’s very sensitive information that you should only have access to view if you’ve been granted the correct permissions, we would classify that data as confidential. And we might add on classifications to data that describe it as something that is very important, this would be critical information and it might be specific to the processes we use inside of our organization, or this might be information that is publicly available.

When working with companies, you may find there are certain vertical markets that have a standard as to how data might be used. For example, a financial organization would have your personal financial details and perhaps financial details of other organizations. There might also be additional laws and regulations on how financial information can be used. The data collected by our government is often considered open data that anyone might have access to. This is not universally the case, but a large percentage of the data collected by the government is information that you would have access to. There might also be data that is shared between different areas of the government.

For example, there may be law enforcement at the state or local level that is able to share data with each other. But not all of the information collected by the government is something that is open and available. For example, the government might have personal financial information that we use when we’re starting a business, and much of that information may be protected by law. Your company might also collect data from your customers, so you might have their name, their address, and other information about the organization they work for. These may be very specific to a user, and might certainly be qualified as personally identifiable information. So in your particular geography there may be additional laws or regulations on how this customer data is handled.