Security Classifications
Information Owners determine the sensitivity of the information they “own.” In doing so, they follow a “standard” language that helps ensure that everyone will know how to protect the information they use in performing their professional duties.
Many organizations classify information into three categories:
- Public Information
- Internal Use Only Information
- Restricted Information
Public Information
This information has been specifically designated by its Owner as intended for Public release. Unauthorized disclosure of this information is not expected to cause problems for the organization or it’s community. There are no restrictions on access to or dissemination of Public information.
Examples of Public information: websites, newsletters, brochures, and marketing materials.
Internal Use Only Information
This information is intended for use within an organization, and in some cases within affiliated organizations, such as customers or vendors. There is no need or reason for disclosing this information to those outside the organization although the damage from this happening is likely minimal.
Examples of Internal Use Only: The Employee Manual, forms and templates, training materials, organizational policies, and personnel phone extension lists.
All Users are authorized access to Internal Use Only information.
Restricted Information
This information is private or otherwise sensitive in nature and is to be restricted to those with a legitimate need for access, a need-to-know. Unauthorized disclosure of this information to people without an explicit need for access may be against laws and regulations, may cause significant problems for the organization or may even cause grave damage to the organization.
Examples of Restricted Information: Client and staff personally identifiable information (PII), electronic protected health information (ePHI), client credit card numbers, client personal information, staff social security numbers, staff bank account numbers, staff salary data.
Access to restricted information is limited to only personnel or others, including vendors, whose task requires such access. The Information Owner determines specific access privileges to restricted information. Access to restricted information is based on a strict need-to-know.
Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.