There are many types of data that need to be secured. In this video, you’ll learn about different data types, data classifications, and classifying sensitive data.
One of the most important assets that an organization owns is their data. But not all data is the same. And in this video, we’ll step through how the management of data can change depending on who has the data and what you’re doing with the data. Some of the data that is stored by an organization may be regulated data. This means that a third party sets the rules on how that data should be protected. For example, if your organization stores credit card information, that credit card data is stored in a way that complies with the Payment Card Industry Standards.
You also need to be concerned about government laws and regulations, which may dictate how data can be stored and for how long. Another important type of data to secure are the trade secrets owned by your organization. Every organization has their own set of secrets and processes that are known only to the organization. Many organizations would love to get their hands on these trade secrets, so it’s important that we have the proper security for this type of data.
And intellectual property is a type of data that often other people are able to see. But we protect that data in different ways. For example, it’s very common to protect intellectual property using copyrights and trademark law. Legal information has its own challenges with being able to provide information that should be public but protect information that needs to be private. In many parts of the world, legal records are public information. You can view the court records, the judge and attorney information, and other details.
But of course, aspects of those legal proceedings may contain private information. So anything that could be considered personally identifiable information and other sensitive details may be stored in a different format. And in many cases, all of this data is stored in different systems, some that are specific to the court itself and others that might be available to the public.
And of course, financial details would qualify as sensitive information. Certainly, the internal, financial details for a company should be kept private. But of course, your own financial details, bank account information, and other payments that you’re making are also a type of sensitive data that should not be shared with others.
Some data types are very easy for a human to understand. We can read through a document or look at a spreadsheet, and it’s very obvious what we’re looking at on the screen. But other data types may be non-human readable. This could be something like encoded data. Maybe it’s a barcode or some other type of image that contains details in a form that a human can’t easily recognize.
And some of those formats are a combination of human readable and non-human readable. We might have a barcode, which obviously is difficult to interpret for a human. But we might include the numbers at the bottom of the barcode so that humans can read this along with the computers.
As you can already tell, different types of data may have different levels of sensitivity, and we might want to classify them in different ways. For example, in many states, license tag numbers can be easily referenced, and you can find out information about the owner of that license tag. But information about your medical history should never be accessible to others. And so we might set different sensitivity levels on those two types of data.
So we might want to add specific permissions that would only allow certain individuals to gain access to that data. Or perhaps there’s a different process to view the data depending on how sensitive the data might be. And for very sensitive data, we might create a restricted area of the network where only specific individuals might gain access to that data.
Any data that an organization owns or information that they’ve gathered and created into their own set of trade secrets would be considered proprietary data. That means that it’s data that is only used by that particular organization. This is data that is unique to this organization and would not commonly be found outside the company.
There’s also data that we can classify as being personally identifiable information. These are details that could tie information back to an individual, things like a name, a date of birth, a mother’s maiden name, biometric information, address details, and anything else that might somehow point that data back to you.
And from a health care perspective, we have PHI. This is protected health information. These are health details that are specific to an individual. So any information regarding the status of your health, details from your health care records, or even the payments that you’re using for health care would all be qualified as PHI.
Based on very broad categories of data, we should be able to create different classifications and, therefore, different levels of access into this type of data. For example, we might have a classification of sensitive data. This might include things that may be intellectual property, PII, or PHI. We could also have confidential data. This would be something that is more sensitive, and you would need additional access to be able to view it.
If you’re working with the government, you probably have seen public or unclassified data, which describes information that anyone should be able to view. If this data is a bit more sensitive, we might want to add an additional classification of private, classified, or restricted, which means you might need additional rights and permissions, or you may need to sign a non-disclosure agreement just to have access to the data. And anything that is classified as critical is data that should always be accessible. This means that we should create processes and procedures to maintain the uptime and availability to that data.