Examples - Classes of Information

Note, many of the information types listed below have multiple classification levels, depending on their use and sensitivity. Your information security program should be designed to accommodate flexibility in the level of controls used to protect information and your employees should understand the need to continually re-evaluate whether controls over the information are appropriate.

Assessments & Audits - Compliance reports from internal or external audits or reviews At a minimum these are Confidential. Some audit reports may be so innocuous or "clean" that it is arguable that they should be Internal. However, you should set a minimal level of Confidential to ensure that sensitive audit reports are not unwittingly released to the general public. In some cases, the reports should be treated as Restricted based on the nature of the assessment and the impact it would have on the business if disclosed. For example, audits performed on individual businesses in the course of conducting the annual SOX 404 review may be Confidential. However, the overall results of the review at the enterprise level may be Restricted until they are released to the public. In another example, the report may conclude that the business is in violation of a law, especially one that includes criminal penalties. These types of reports should have a very narrow audience and the highest level of protection from disclosure.
Assessments - Internal compliance assessment documentation These are typically Confidential, since they rarely have an impact on the enterprise as a whole.
Budget and Financial Statements At the business unit level this data is typically Internal, since it rarely contains information that could be used to divine marketing strategies, the success of the business' products or the overall financial performance of the corporation. However, as this information is consolidated and moves up the corporate hierarchy, the requirements for confidentiality become more important. The financial statements for major businesses, product areas, or regions are likely Confidential. By the time the information reaches the enterprise level, it is likely Restricted, especially if this is a publicly traded company and subject to governmental restrictions on the release of financial data before it is released to the public.
BCP Call Trees Confidential (suggested). Call tree information, especially if it contains home phone numbers or other personal contact data, may present special challenges. While this information may need to be readily available in an emergency (hence, you don't want to create a lot of complicated barriers to access the information), it is also highly sensitive and may be subject to local laws and regulations prohibiting its disclosure (see Personally Identifiable Information). You could encrypt this data, but that poses the risk that the encryption key or password may not be available in an emergency.
Business Continuity Plans Typically classified as Confidential. BCP Plans have very detailed descriptions of how the business operates, where sensitive materials are stored, contact numbers, system configuration details, etc.
Contracts Most contracts are likely Confidential, since they contain pricing and other proprietary information. Some contracts may have a enterprise level impact and should be treated as Restricted. The contracts may also contain non-disclosure provisions that require the business to keep the information Confidential.
Cryptographic Keys and Cryptographic Code Restricted
Customer Identification and Authentication Information This is the information used by the business to confirm the identity of customers and, in some cases, employees (see Personally Identifiable Information). It includes such sensitive information as Social Security Numbers, date of birth, mother's maiden name, even the name of your pet. As authentication information, this data (in a perfect world) should be encrypted at all times. The problem is that it needs to be readily accessed by customer service employees, especially by help desk personnel. In addition, many jurisdictions have laws prohibiting its unauthorized disclosure. Recommendation - treat customer ID information as a hybrid. When stored on the system, on backup tapes, etc., keep it encrypted. However, give authorized support personnel the ability to access this information in a controlled environment.
Customer PIN's As authentication data, PIN's or Personal Identification Numbers should be Restricted. The problem is that PIN's were introduced primarily to accommodate situations where full alphanumeric keypads were not available, such as telephones or ATM's. In the case of telephones, it is technically difficult, if not impossible, to encrypt the PIN as it is transferred over the phone line. In addition, PIN's are so commonly used that it is difficult to keep them as a secret. Recommendation - 1). Encrypt PIN's in storage at all times, 2). Never let support personnel see customer PIN's. If customer support needs to authenticate the customer, use some other source instead of the PIN. If PIN's need to be reset, create a process so that the customer is given a one time use PIN. 3). Adopt a long term strategy to move away from PIN's (i.e. SmartCards, alphanumeric passwords, dynamic password tokens, etc.). See Authentication in the Internet Banking Environment issued by the FFIEC.
Ethical Hack & Vulnerability Assessment Reports/Results Typically reports that assess system and application vulnerabilities are treated as Confidential, since these reports, in the wrong hands, provide a road map on how to easily breach the defenses. Conversely, the assessment data needs to be communicated to a large number of people (the crew that performs the assessment of the application or system, the technicians who can solve the problems noted in the report, the business that developed or manages the system and the business that is responsible for the information on the system). Recommendation - if you can not easily encrypt this data, place rigorous access controls on it and constantly remind all people who have access to it that the information must be kept confidential at all times.
Passwords Restricted. Passwords are the purest form of Restricted information, since thy must be kept secret in order to support reliable authentication of users. in that they must always be encrypted or obscured.
Personnel - Employee / contractor salary details This data is clearly Confidential and may be subject to local legal and regulatory restrictions. It is also the number one target for employees when they decide to attempt an unauthorized access. Everyone wants to know the salaries of the people they work with and the people who manage them. Salary data is just too tempting - employees who never think of defrauding the company, often are unable to resist the temptation to break into salary records. Recommendation - Create strong access controls around your salary data and install intrusion detection systems that monitor unauthorized activity.
Personnel - Employee Performance Reports Confidential
Personnel - Job Descriptions, Organization Charts, and Organizational Announcements Internal
Personnel - Phone List (including Home phone numbers) Confidential (suggested). The typical assumption is that home phone numbers are Public or Internal data, since they are available in phone books or on the Internet. However, some employees may not want to list their home number in the white pages, but may be willing to trust the number to their employer for BCP and emergency contact purposes. The same employee concern may apply to releasing personal email addresses or the phone numbers of family and relatives. There is also a growing trend for governments to apply the same rules for protecting consumer privacy to employees. While these factors are not clear enough to mandate treating personal contact information as Confidential, the prudent approach is to assume that employees (and potentially governments) expect a higher level of care for personal information and that such information is Confidential. Also see the comment above about Business Continuity Plans and Call Trees.
Personnel - Phone Lists (Internal Business phones only) Internal
Personnel - Resumes Confidential
Personnel - Time Sheets Internal
Policies and Standards Internal
Presentation and Marketing Documentation This category presents so many possibilities that it is difficult to provide one recommendation as to classification. The only recourse may be to leave it up to the author to make the classification on a document-by-document basis.
Project Plans and Status Reports Internal, unless the subject of the project is Confidential or higher.
Security Incident Documentation Confidential, but may be Restricted based on the severity or sensitivity of the event
Strategic Plans Restricted
System Development Documentation This includes the documentation typically used in the system development lifecycle such as business, technical and functional requirements, change control, and test plans. Typically, this information is Internal. However, certain situations can create the need for a Confidential or Restricted rating, i.e. the design of a new product or marketing strategy, references to internal system configurations that could be used to gain unauthorized access, etc. Also be aware of the type of information that will be used in testing the system. Often, production data is used in the testing environment. If the production data is Confidential, then it requires the same level of controls in the testing environment.
Training Material Training documentation is typically Internal. In rare cases, employees may need training on specific systems, products or marketing initiatives that contain enough specific data that would be harmful if released to the public, making the data Confidential.
Vendor - Purchase orders, invoices, etc. Confidential. See Contracts
Vendor - Request for Proposal Internal.
Vendor - Internal Assessment Information (e.g., Vendor Financial Data not obtained through public domain, Vendor Business Continuity Plans) Confidential

©2009 ISRMC, LLC