Overview of Data Classification

Texas Department of Information Resources (2018), Data Classification Guide, v 1.1 (partial section)

Benefits of Classifying Data

Data classification is the basis for identifying an initial baseline set of security controls for information and information systems, which creates numerous benefits for the organization. Effectively classifying data makes security decisions more efficient for employees, data owners, and IT staff, because it instantly identifies and communicates the level of protection required for any piece of data and who can access it. Establishing a common statewide vernacular can further amplify this efficiency through clear and non-ambiguous communication. Appropriate data classification can also enable a more efficient use of IT capital. Specifically, data that has been categorized at a level requiring more protection can provide an objective justification for certain capital expenditures to help protect that data.

An organization can design its systems architecture with varying information sensitivity levels in mind if there is an awareness of the location, type, and handling requirements of the data. This may assist in achieving economies of scale with security services and protection through shared network and security zones. For example, an information system containing information protected by state privacy laws may be stored with other information systems containing similar sensitive information which are regulated by a third-party agreement. Agency contingency and disaster recovery planning personnel can use the outputs of the data classification process to ensure that the infrastructure is sufficiently protected and that recovery efforts focus on high impact systems.

Finally, artifacts of a data classification process can also serve as inputs to Business Impact Analysis (BIA) reviews, Information Sharing and System Interconnection Agreements, and audit trails.

Classification

The proposed data classification scheme outlines four classification labels.

• Public – Information that is freely and without reservation made available to the public.
• Sensitive – Information that could be subject to release under an open records requests but should be controlled to protect third parties.
• Confidential – Information that typically is excepted from the Public Information Act.
• Regulated – Information that is controlled by a federal regulation or other third-party agreement.

Public

The Public information label is used for information such as published reports, press releases, and information published to the agency's public website. Such information requires no authentication and is freely distributable by all agency personnel.

Sensitive

Moving the Sensitive label, much of the information is still subject to public release under an open records request, but the information should be vetted and verified before release. These types of data include items such as employee records and gross salary information. While these records and information are considered "public" under the Texas Public Information Act, they should still be afforded a higher level of protection to ensure confidential data (e.g., net salary information) is not comingled. Many agencies will choose to release this type of information only through select employees who are familiar with the state and federal rules regarding disclosure.

Confidential

The Confidential label is used to identify information that is typically excepted from public disclosure, whether specified in law or through a decision by the Open Records division of the Texas Office of the Attorney General. Confidential data include information such as attorney-client communications, protected draft communications, and computer vulnerability reports.

Regulated

The fourth label, Regulated, may or may not be applicable to an agency, based on its mandate, customers, and business operations. Regulated focuses on the types of data typically regulated by federal statute or third-party agreements. Agencies that maintain protected health, federal tax, payment card, or certain personal information will have specific requirements placed on that data by a non-Texas regulation. Therefore, regulated data has specific handling requirements that are unique to their regulations and do not apply to all agencies.