business strategies and development plans, business finances, employee records, and corporate board materials. Before establishing policies describing how these varied data types should be used and disclosed, it is best to classify them into high-level categories that provide a consistent framework when developing policies and procedures. Table 3 provides a sample classification schema, with examples of the types of documents that the classification comprises. Table 3. Example of a Data Classification Schema Classification
Description
Highly Sensitive Data
Data that could easily be used for financial fraud, or could cause significant reputa�onal damage.
SSN, credit card number, mental health informa�on, substance abuse informa�on, sexually transmi�ed infec�ons.
Regulated data, or data that could cause embarrassment to pa�ents or organiza�ons.
Health informa�on, clinical research data, insurance informa�on, human/employee data, board materials.
Sensitive Data
Internal Data
4.M.B
Examples
Public Data
Policies and procedures, contracts, Data that are not considered business plans, corporate strategy and sensi�ve, but should not be business development plans, internal exposed publicly. business communica�ons. All data that have been sani�zed and approved for distribu�on to the public with no restric�ons on use.
Data Use Procedures
Materials published on websites, presenta�ons, and research publica�ons.
NIST FRAMEWKORK REF: ID.GV-1
After data have been classified, procedures can be written that describe how to use these data based on their classification. Such procedures describe the processes of setting usage expectations and of labeling the information properly. These two functions are described further in the following paragraphs.
Usage and disclosure: Based on the classification type, data use should be limited appropriately and disclosed using specific methods. Consider the procedures in Table 4.
43
