Data Classification Standard

From Atlanta OutWorlders Wiki
Jump to: navigation, search


The following document is an adaptation of UC Berkeley's Data Classification Standard. It is with their permission that these classifications are used as the framework for OutWorlders' own data classifications as long as the use is "exclusively for non-commercial purposes [and] attribution is provided to UC Berkeley."



Issue Date: April 10, 2018
Effective Date: [TBD/Draft Status]

Contact: Internet Coordinator, internet@outworlders.info

Purpose

This document is a framework for assessing data sensitivity, measured by the adverse impact a breach of the data would have upon the organization. This standard provides the foundation for establishing protection profile requirements for each class of data.

Contact Information

For assistance with this standard, contact internet@outworlders.info (link sends e-mail).

Scope

This document covers OutWorlders member data. OutWorlders member data is information prepared, managed, used, or retained by an operating unit or volunteer of OutWorlders' Inc. relating to the activities or operations of the Organization. OutWorlders member data does not include individually-owned data, which is defined as an individual’s personal information that is not related to Organizational business.

This classification does not cover evaluation of data availability requirements.

Data classification does not alter public information access requirements. The federal Freedom of Information Act requests and other legal obligations may require disclosure or release of information from any category.

Business Impact

Considerations for evaluating the potential adverse impact to the Organization due to loss of data confidentiality or integrity include:

  • Loss of critical organization operations
  • Negative financial impact (money lost, lost opportunities, the value of the data)
  • Damage to the reputation of the Organization
  • The potential for regulatory or legal action
  • The requirement for corrective actions or repairs
  • Violation of Organization's mission, policy, or principles

Data Classification Table

Data Class Adverse Impact Sample Data (not an exhaustive list)
Protection Level 3 Extreme Data that creates extensive "shared-fate" risk between multiple sensitive systems, e.g., enterprise credential stores, backup data systems, and central system management consoles.
Protection Level 2 High Data elements with a statutory requirement for notification to affected parties in case of a confidentiality breach:
  • Social security number
  • Driver's license number
  • Financial account numbers, credit or debit card numbers and
  • financial account security codes, access codes, or passwords
  • Personal medical information
  • Personal health insurance information
Protection Level 1 Moderate Information intended for release only on a need-to-know basis, including personal information not otherwise classified as Level 0, 2 or 3, and data protected or restricted by contract, grant, or other agreement terms and conditions, e.g.,:
  • Names, Email Address, and Phone Numbers of our members
  • Licensed software/software license keys
Protection Level 0 Limited or None Information intended for public access, e.g.,:
  • List of members attending meetings
  • Public websites

Additional Information

Shared Fate

If a data compromise would cause further and extensive data compromise from multiple (even unrelated) sensitive systems, the data creating this "shared-fate" warrants an elevated data protection level.