Section/Domain 2 - Asset Security
Top Secret – It is the highest level in this classification scheme. The unauthorized disclosure of such information can be expected to cause exceptionally grievous damage to the national security.
Secret – Very restricted information. The unauthorized disclosure of such data can be expected to cause significant damage to the national security.
Confidential – A category that encompasses sensitive, private, proprietary and highly valuable data. The unauthorized disclosure of such data can be expected to cause serious, noticeable damage to the national security.
These three level of data are collectively known as ‘Classified’ data.
Sensitive but Unclassified (SBU): SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU.
Unclassified – It is the lowest level in this classification scheme. Furthermore, this data is neither sensitive nor classified, and hence it is available to anyone through procedures identified in the Freedom of Information Act (FOIA)
Within the Unclassified aka Public section there are:
Sensitive – A classification label applied to data which is treated as classified in comparison to the public data. Negative consequences may ensue if such kind of data is disclosed.
Confidential – It is the highest level in this classification scheme. This category is reserved for extremely sensitive data and internal data. A “Confidential” level necessitates the utmost care, as this data is extremely sensitive and is intended for use by a limited group of people, such as a department or a workgroup, having a legitimate need-to-know. A considerable amount of damage may occur for an organization given this confidential data is divulged. Proprietary data, among other types of data, falls into this category.
Private – Data for internal use only whose significance is great and its disclosure may lead to a significant negative impact on an organization. All data and information which is being processed inside an organization is to be handled by employees only and should not fall into the hands of outsiders.
Proprietary - Proprietary data is data this is disclosed outside the company on a limited basis contains information that could reduce the companys competitive advantage, such as the technical specifications of a new product.
Public – The lowest level of classification whose disclosure will not cause serious negative consequences to the organization.
Remember: S C P P P
Here is how the whole private sector classification looks like in the context of the Sony data breach in November 2014:
“Sensitive” Level – lists of laid-off or dismissed employees; embarrassing emails
“Confidential/Proprietary/” Level – unreleased movies
“Private” Level – salary information on 30,000 employees
“Public” Level – Sony managed to protect the integrity of such information provided by them (e.g., on their website)