Data Classification

Revised 06.06.2019

The purpose of this classification scheme is to establish a framework for classifying bank data based on its level of sensitivity, value, and criticality to the bank as required by the Corporate Security Program.

Data Classification

Data Classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the bank should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Data Security and Records Management are often seen as very similar. (See CCB Data Classification Chart)

 

Data Security is a more abstract concept which applies to logical groupings of data. Think of a shared folder (for example: the "J:" drive). The folder represents a grouping of data that may contain multiple types of records and would allow for certain security controls to be applied to the folder as a whole. Controls such as limiting access to certain groups, encrypting the data, and flagging if unauthorized access is attempted, may apply to the folder as a whole.

 

Records Management, on the other hand, refers to the lifecycle of data with a specific intent. Again using the folder example, you may have general office correspondence, policy statements, construction loan documents, spreadsheets containing copies of client transactions, or even a database with records of client contacts. Each of these represents a "record" of specific data for a specific purpose. Retention guidelines may be applied to each record type - such as 3 years to general correspondence, or 5 years to policy statements.

 
 

Media Storage and Data Transmission

Data may originate, be stored, or transmitted in a manner containing varying classifications (for example: A disk drive or e-mail that contains Marketing brochures and listings of client names and addresses). In this situation, the most restrictive classification takes precedence. In the example, the appropriate classification is Confidential.

 
 

CCB Data Classification Chart

ALL data should be classified into one of 3 sensitivity levels, or classifications: Public, Company Restricted, or Confidential.

 

  Public Company Restricted Confidential
Definition

Data is classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the Bank. While few controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data

Data is classified as Company Restricted when the unauthorized disclosure, alteration or destruction of that data could result in a moderate to severe level of risk to the Bank. By default, all Data that is not explicitly classified as Confidential or Public data should be treated as Company Restricted data. A reasonable level of security controls should be applied to Company Restricted data.

Data is classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant to catastrophic level of risk to the Bank or its clients. The highest level of security controls should be applied to Confidential data.


 
Description Non-sensitive information available for external release. Information that is sensitive within the company and is intended for business use only by specific groups. Information that is extremely valuable to the company. This includes regulated non-public information.
Macro Level Data Inventory (examples are not meant to be exhaustive)
  • Press releases
  • Publicly released marketing brochures and reports.
  • Payroll information
  • Future business plans
  • Preliminary financial information
  • Call reports
  • General ledgers
  • Policies and procedures
  • Physical plant or computer topology diagrams
  • Internal investigations
  • Audit work papers
  • Prospective client lists
  • Source code to computer programs
  • Intellectual property
  • Documentation related to legal matters
  • Associate personal information

Client information (Non-public personal information) such as:

  • A list of client names, addresses and contact details
  • Social security numbers
  • Dates of birth
  • National and state ID numbers (drivers licenses, passport #’s, other forms of ID)
  • Account numbers
  • Spending habits
  • Monthly statements
  • Account balances
  • Credit and debit card numbers

 

SARs

Logon credentials

Active client and business loan files
Impact of Disclosure No adverse impact.

Potentially significant adverse impact:

  • May incur financial or legal liabilities 
  • May adversely affect the bank
  • May assist a competitor
  • May undermine reputation

Severe adverse impact:

  • May cause severe financial or legal liabilities 
  • May impact existence of the bank
  • Adversely impact to the bank, clients, or
  • May destroy reputation
Access Restrictions

Accessible to all associates in a non-editable form. Access to modify this type of information should be restricted to maintain its integrity. 

 Access granted based on business need   Access granted based on business need 
Access by external parties subject to business need, pre-approved risk assessment, preapproved and third party agreement. Access by external parties subject to business need, pre-approved risk assessment, preapproved and third party agreement. May require additional authentication techniques, intrusion prevention, heightened alerting, more granular logging of specific records accessed and other controls identified by the Security Strategy Team.
 
 

 

 

 

 

 


 

 

Was this article helpful?

Related Questions

Can't find what you're looking for?

Our award-winning customer care team is here for you.

Contact Support