In this topic we’ll provide information about Sensitive Data, and cover the following topics:
- What is Classified As Sensitive Personal Data?
- Types of Sensitive Data
- Is Proprietary Data Sensitive Information?
- Where Should Sensitive Data Be Stored?
- Monitoring Sensitive Data
Sensitive data is any confidential data stored or processed by an organization. Data sensitivity may be internal or external:
- Internally sensitive information is information that is restricted within organizational units. For example, employee salaries are sensitive, and only certain employees within the organization can access salary information (and even fewer employees are exposed to the entirety of salary information).
- Externally sensitive information is information that is restricted to within the organization. For example, perhaps an entire company is aware of deals in motion, but the information cannot be shared with external entities.
What is Classified As Sensitive Personal Data?
Sensitive personal data can be defined in several ways based on different regulations and locations but is generally any data about a certain person that is deemed private information.
For example, in GDPR, data is considered sensitive personal data when it includes :
- Racial or ethnic origins
- Political opinions
- Religious or philosophical beliefs
- Trade union memberships
- Genetic data
- Biometric data
- Healthcare data
- Gender identity or sexual orientation information
Types of Sensitive Data
Sensitive data can be divided into three main categories:
Sensitive business data
Any non-public and non-routine data within a company. It is debatable whether the data sensitivity depends on the damage created if exposed.
- Financial information such as revenue and costs.
- Product plans
- List of customers
Any information which is restricted due to security reasons.
- Access codes to offices
- The CEO’s agenda (may contain security risks)
Any data that can be linked to individuals and is not publicly accessible.
- SSN (Social Security number)
- Email address
- Phone number
- Mac Address
- TaxId Number
- Driver License
- Birth Date
Of course, each regulation categorizes sensitive data differently and has varied definitions of each of these data types.
A practical approach is using such regulations and frameworks to define the types of sensitive data in the organization. For example, “HIPAA data” is any data considered sensitive by HIPAA (Health Insurance Portability and Accountability Act), and “PCI data” is any data considered sensitive by PCI DSS (Payment Card Industry Data Security Standard).
Note that certain data may fall under two or more classifications. For example, a credit card number is both PII data (as it can identify a person) and sensitive PCI data.
Is Proprietary Data Sensitive Information?
In most cases, proprietary data is considered sensitive business information. As described above, sensitive business information is non-public and non-routine which usually also applies to proprietary information.
Where Should Sensitive Data Be Stored?
In most cases, there is not a single solution to where sensitive data should be stored, but the following guidelines may help:
If the sensitive data is not required by the organization, it becomes a liability with no value and should, therefore, not be stored.
In other cases, it is extremely important to address the following questions :
- Do you have a retention policy for the data? Accumulated data may be categorized as having “not enough value and too much liability,” in which case you should either delete it, delete the sensitive parts, or keep only an aggregation of the data.
- Do you have a way to allow users (or companies) to delete stored data about them?
- Do you have a proper and up-to-date mapping of where each type of sensitive data is located?
- Do you have a proper and up-to-date mapping of which users, groups, and roles are accessing what data?
- Do you have proper access controls in place to allow data usage but also protect it and limit access to sensitive data?
This list can help you make great progress in effectively storing your sensitive data but is generic.
Monitoring Sensitive Data
Sensitive data is not a static object that remains in its place waiting to be discovered. Rather, in most cases, it is a moving target, with sensitive data being constantly inserted, transformed, and relocated. Therefore, it is important to:
- Keep your mapping of sensitive data up-to-date by continuously assessing data sensitivity, as opposed to performing single or infrequent assessments.
- Make access controls data type, as opposed to static location, dependent. Not just a specific set of locations to restrict by. For example, instead of restricting access to a “customers” table which contains email addresses, restrict access to all email addresses in the data store.