Now that we have identified our assets, it is time to classify them to further decide how should we properly interact with them.
Based on sensitivity
Classification based on sensitivity gives a good idea on how to treat the information and with whom it can be shared.
Note - information sensitivity is almost the same for everybody, but keep in mind that the small differences are very subjective. One mans public information can be another ones confidential information.
Information that will cause no harm if it's disclosed to any party and that you willingly give away with no hesitation. You would normally have it already shared freely, like the information on social media.
- Example information - name
- Can be shared with - anybody
- Example entity to share with - random person on the street
- Impact if its leaked - none
Depending on the context and person, maybe the name is not necessary public information.
Information that can cause some harm or discomfort if its disclosed outside a limited amount of parties.
- Example information - phone number , email address
- Can be shared with - limited amount of parties
- Example entity to share with - friends
- Impact if its leaked - low to medium
By having your email addresses posted online in clear text format, you can very soon start receiving a mass amount of spam due to bots that harvest them off the internet. It's not the end of the world, but it can be irritating.
Information that can cause moderate to major harm, discomfort or losses if disclosed.
- Example information - authentication credentials (passwords) , credit card details
- Can be shared with - normally nobody, but some cases may apply to who needs to know based on the service received (a payment processor )
- Example entity to share with - bank ATM, online payment processor (needs to know your credit card details for you to be able to make an online purchase)
- Impact if its leaked - high to critical
Having your credit card details fall into the wrong hands can lead to your account being emptied. Having your authentication credentials to your netbank compromised can mean a lot harm than just an empty account - illegitimate loans, multiple emptied accounts and so on.
Such information should be handled with care as it can be pretty painful to have it disclosed. You would probably want to avoid writing them in a Notepad file on your desktop (even though it's easier to copy and paste) and have them in an encrypted database, like the one in a password manager.
Based on information type
Classification based on type can give a good idea on how information should be handled by 3rd parties and what kind of requirements a data subject should have from them.
For example, regulations such the EU GDPR, empowers the data subject (the one whose data is being processed) to have certain expectations from the data processor like :
- being able to delete or transfer the data subjects information to another processor
- being informed about a possible data breach, where the data subjects information has been accessed by an unauthorized party
Personal identifiable information (PII) (more commonly referred to like that in the US) or simply Personal Data (more commonly referred to like that in the EU) is any information that could potentially identify a specific individual. This can vary across the sensitivity spectrum, from public to confidential.
- Example - name, address, phone number, IP address, social security number, etc
- Regulatory compliance - EU GDPR
- Data subject rights over the data - depending on where you live and where you data controller is physically located, different legislations may apply. In the case of EU GDPR, the data subjects has several rights and are not limited to examples below :
- to have their data deleted from the data controller
- to receive a copy of their data from the data controller at no cost
- to be notified in case there has been any unauthorized access to their data
Financial information are monetary facts about a person or organization that are used in billing, credit assessment, loan transactions and other financial activities.
- Example - credit card details, payslip, credit record etc
- Regulatory compliance - PCI-DSS
It is probably the most tangible type of information for most people, because its linked to real and clear financial losses.
Protected health information (PHI) (more commonly referred to like that in the US) is any information about ones health status, provision of health care, or payment for health care that is created or collected by a certain entity and can be linked to a specific individual.
- Example - billing information from your doctor, email to your doctor's office about a medication or prescription you need, Appointment scheduling note with your doctor's office, an MRI scan, blood sample test results
- Regulatory compliance - HIPAA
This kind of information can be very valuable for marketing agencies, as they can better target individuals based on their illness or condition. At the same time, it may be a discomfort for a certain individual to have so many know about his/her intimate health issues. Moreover this information can be used against the data subject in cases of blackmail or even life threats.
Microsoft has an easy-to-grasp tool (Data classification wizard) that will give a graphical overview on examples of data and how is it usually classified.
Without the actual assets, the classification wouldn't make sense, reason why I created a simple Excel template where identified assets can also be classified.
- available on Google sheets format to use in Google Drive - access here
- in .ODS format to use with Office software - download here