Data can be traditionally grouped under three categories based on their criticality. They are as follows:
- Personally Identifiable Information (PII): Examples include birth dates, employee numbers, Social Security Numbers, national identification numbers, credit card information, personal health information, and so on.
- Intellectual Property (IP): Examples include product design documents, the source code of software, research information, patent applications, and customer data.
- Non-Public Information (NPI): Examples include financial information, mergers—and acquisitions-related information and activities, corporate policies, legal and regulatory matters, executive communication, and so on.
Compromising any of the preceding data will have adverse impacts on corporations. Additionally, risk factors, such as employee behavior, customer treatment, and financial controls, will also have an effect on organizations.
Data, whether it is PII, IP, or NPI, can exist in three states. Protection requirements in each of the three states may vary based on the type and classification of the information.
The three states in which a data can exist are as follows.
This refers to information as it moves around the organization. Examples include e-mail, FTP, and messaging:
Data protection strategies for such information include the following:
- Secure login and session procedures for file transfer services.
- Encryption for sensitive data.
- Monitoring activities to capture and analyze the content to ensure that confidential or privacy-related information are is not transmitted to third parties or stored in publicly accessible file server locations.
This refers to the information that is stored within the organization. Examples include information stored in a file server and shared locations and information in databases:
Data protection strategies include secure access controls, the segregation of duties, and the implementation of need to know mechanisms for sensitive data.
This refers to information that is used by staff, as in laptops or portable devices, and information that is being printed or copied to a USB stick. This is the data available in endpoints.
Data security controls for data in use would include port protection and whole disk encryption. Controls against shoulder surfing, such as clear screen and clear desk policies, are also applicable to data in use controls:
