• Skip to main content
  • Skip to primary sidebar

Information Security Management ResourceKit

A Public Service of SecureTheVillage

  • Home
  • Return to SecureTheVillage

Security Classifications

Security Classifications

Information Owners determine the sensitivity of the information they “own.” In doing so, they follow a “standard” language that helps ensure that everyone will know how to protect the information they use in performing their professional duties.

Many organizations classify information into three categories:

  • Public Information
  • Internal Use Only Information
  • Restricted Information

Public Information

This information has been specifically designated by its Owner as intended for Public release. Unauthorized disclosure of this information is not expected to cause problems for the organization or it’s community. There are no restrictions on access to or dissemination of Public information.

Examples of Public information: websites, newsletters, brochures, and marketing materials.

Internal Use Only Information

This information is intended for use within an organization, and in some cases within affiliated organizations, such as customers or vendors. There is no need or reason for disclosing this information to those outside the organization although the damage from this happening is likely minimal.

Examples of Internal Use Only: The Employee Manual, forms and templates, training materials, organizational policies, and personnel phone extension lists.

All Users are authorized access to Internal Use Only information.

Restricted Information

This information is private or otherwise sensitive in nature and is to be restricted to those with a legitimate need for access, a need-to-know. Unauthorized disclosure of this information to people without an explicit need for access may be against laws and regulations, may cause significant problems for the organization or may even cause grave damage to the organization.

Examples of Restricted Information: Client and staff personally identifiable information (PII), electronic protected health information (ePHI), client credit card numbers, client personal information, staff social security numbers, staff bank account numbers, staff salary data.

Access to restricted information is limited to only personnel or others, including vendors, whose task requires such access. The Information Owner determines specific access privileges to restricted information. Access to restricted information is based on a strict need-to-know.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Filed Under: Information Classification and Control

Primary Sidebar

Resources Areas

  • Cyber Threats
    • Ransomware
    • Online Bank Fraud
  • Information Security Management / Leadership
  • Information Security Policies and Standards
  • Information Security Risk Assessment
  • Information Classification and Control
  • Securing the Human
  • Third-Party Security Management
  • Managing Security of the IT Infrastructure
  • Legal & Related
    • Basic Cyber Laws
    • Payment Card Industry Data Security Standard (PCI DSS)
    • General Data Protection Regulation (GDPR)
    • California Consumer Privacy Act (CCPA)
    • Cybersecurity Maturity Model Certification (CMMC)
  • Getting Cyber-Prepared: Incident Response & Business Continuity
  • Managing Cyber-Risk and Insurance
  • Personal Cybersecurity
  • Cyber Freedom

Copyright © 2023 · SecureTheVillage