Data sensitivity is a measurement of a confidentiality requirement for the data. The amount of damage that can be done by an unauthorized disclosure of the data will be used to determine the level of data sensitivity.
3. Data Sensitivity (Confidentiality Requirement)
This list is not inclusive but is intended to help the data evaluators classify their data. The data should be classified according to severity of damage if it becomes available to the public whan not intended or available to unauthorized users. The owners of the data must determine the level of data sensitivity. The severity of damage is one of:
- None - This information is already available to the public or availability to the public will cause no damage.
- Low - Information that is released to the public or unauthorized persons could cause minor embarrassment and/or damage and only require administrative action for correction.
- Medium - Information released to the public or unauthorized persons could cause significant embarrassment and/or damage in money, property, or personnel to the organization or require legal action.
- High - Affecting the organization seriously - Information released to the public or unauthorized persons could cause grave damage, loss of life, or major monetary damage.
When identifying loss consider ways the data could be misused when obtained without authorization. When identifying loss consider the possible ways parties that have authorization may misuse data. Consider the damage to the system or interested parties if unauthorized data modification is performed. Think about what a terrorist or criminal could do with the information.
Be careful not to confuse this catagory of data classification with how it is used or who has access to the data. Sometimes data gets categorized because people think if it is to only be used on the organization, that is one level of sensitivity. When someone thinks about seeing data posted in a location that it should not be in, and there is a reaction to the inappropriate posting, the actual reaction is not due to the fact that the posting is inappropriate, it is normally a reaction due to the amount of damage that could be done with the information.