Restricted, Confidential & Public/Internal Data

  • Restricted
    • Information that, if disclosed to unauthorized individuals, could have a significant impact on the business' legal or regulatory obligations or on its financial status, customers or franchise.
      • This is the most sensitive level of information classification and the type of information that requires the highest degree of preventative controls. Restricted information is the type of data that, if released to an unauthorized person, could have a material impact on the corporation as a whole. Think of it as the kind of information you would never want to see on the front page of the Wall Street Journal. This includes consolidated financial data, major product and marketing plans, or merger and acquisition information before it is released to the public. This information needs to be controlled at all times by procedures such as strict physical possession (never let it out of your sight), lock & key (you and only you have the key) or encryption (use the strongest encryption available) .
    • Passwords, PINs, private cryptographic keys, shared keys, dynamic or pre-expired passwords or public keys.
      • Passwords, on their own, merely represent data, usually meaningless information. However, passwords are the keys that permit access to meaningful information. As authentication tools, they are also critical to identifying who may have accessed or manipulated data on the system (non-repudiation). Passwords are only useful as long as they are a secret, preferably a secret known only to one individual. For these reasons, passwords must be subject to the highest levels of protection at all times, preferably with the use of strong encryption.
  • Confidential
    • Information about or belonging to customers, employees and businesses that the Corporation is obligated to protect.
    • Information that the business unit determines has the potential to provide a competitive advantage or have a significant impact on the business if disclosed to unauthorized individuals.
    • Confidential data is the most prevalent form of information in the company. It includes transactional records, customer data, business financial records or any other form of data that if released to an unauthorized party would cause damage to the business. Most internal computer systems and building facilities provide enough security for Confidential information that encryption is not required. However, if data is transmitted through or stored in a hostile environment (the Internet, a public place, etc.) where security can not be assured, it should be encrypted.
  • Internal & Public such as public press releases or internal phone directories should be controlled, but there is no requirement for extraordinary steps such as encryption or lock & key.
    • Internal Information is commonly shared within the business and is not intended for public distribution.
    • Public Information is freely available outside of the business or is intended for public use.
  • Click here for further examples of Restricted, Confidential and Public/Internal information.

Once the inventory is complete, you can then move to the risk assessment phase.

©2009 ISRMC, LLC