Classification of Information Assets

Published by Joe D on

If we would like to establish effective security controls to protect our information assets, we should first start by classifying those assets.  Like the controls in place to protect the information, the respective classification follows a process where we evaluate the degree of necessary confidentiality, integrity, and availability of the data to determine its sensitivity.


Generally, we classify information assets into three main categories: public, internal, and confidential.  Within each of these classifications, there may be additional granularity based on the risk appetite of each organization.  Let’s look at each:


Public – Publicly available information is typically not subject to protection.  This class of data typically covers information assets that can be made public without a high degree of scrutiny.  For example, information published on a public facing website about the company, information obtained from a public source, advertising, and anything that is considered “generally known.”   There is a caveat that should be considered when it comes to public information.  When it comes to Personally Identifiable Information such as name, address, phone number, individual photos, and other identifying factors that can be found on the internet or phone book, if you’ve been around long enough to remember when those existed, the moment a company collects that information it becomes their responsibility to protect it.  In fact, there are many state regulations in place, and more to come, that spell out those requirements.


Internal – Internal information is generally not intended to be made known outside the organization, except in approved circumstances.   The most common examples include records, books, policies, procedures, and correspondence that are not intended to be public.  In certain cases, this type of information may be shared with vendors, clients, or other outside interests with the expectation that it will be protected accordingly.


Confidential – This type of information is where we typically spend the greatest amount of time assessing the risk and implementing proportional controls and protection.  Another common characteristic of this type of information is that only certain authorized individuals within an organization are approved to view, modify, and delete it.  If there are outside parties with authorized exposure to this information, there are usually contractual obligations in place that clearly define the responsibilities.  The usual suspects fall into this category:

  • Protected Health Information
  • Cardholder Data (PCI)
  • Intellectual Property
  • Personally Identifiable Information
  • Student Data
  • Human Resources Data


As you consider how to protect each class of information, determine the threats, vulnerabilities, probability of occurrence, and potential impact to the organization if the information were to be exposed.

Categories: Uncategorized