Chapter 68 Β· Flashcards

Data Types and Classifications Flashcards

Click any card to reveal its definition.

0 / 10 flipped
Regulated Data
Tap to reveal
Data whose handling requirements are set by an external authority β€” a government, regulatory body, or industry standards organization. The organization must comply with externally imposed rules. Examples: credit card data (PCI DSS), health records (HIPAA), EU personal data (GDPR). Non-compliance can result in legal penalties, fines, and mandatory breach notification. The organization bears compliance responsibility even if a third-party vendor causes the breach.
Trade Secret
Tap to reveal
Confidential organizational information whose entire value comes from remaining secret. No registration mechanism β€” protection depends solely on maintaining confidentiality. Examples: proprietary formulas, manufacturing processes, pricing models, internal algorithms, customer acquisition strategies. Once disclosed, competitive advantage is permanently and irreversibly lost. Primary threat: insider β€” employees with legitimate access who exfiltrate to competitors. Security focus: confidentiality controls and insider threat prevention.
Intellectual Property (IP)
Tap to reveal
Creations of the mind protected by legal rights β€” copyright, trademark, or patent β€” that can be publicly visible while still legally protected. Copyright protects original works of authorship (software, writing, art) automatically upon creation. Trademark protects brand identifiers (logos, names) through government registration. Patent protects inventions through a registration process requiring public disclosure. Key distinction from trade secrets: IP can be publicly visible β€” a published novel is fully readable but copyright-protected. Security emphasis: legal enforcement and copy protection, not access restriction.
PII β€” Personally Identifiable Information
Tap to reveal
Any data that can identify a specific individual β€” alone (direct identifiers) or in combination with other data (indirect identifiers). Direct identifiers: full name, SSN, passport number, biometrics, email address. Indirect identifiers: DOB, address, mother's maiden name. The aggregation risk: DOB + gender + ZIP code alone identifies most individuals. PII is the subject of major privacy regulations worldwide (GDPR, CCPA, HIPAA). Organizations collecting, storing, or processing PII must comply with applicable privacy laws for consent, access rights, retention, and breach notification.
PHI β€” Protected Health Information
Tap to reveal
A legally defined HIPAA category: health information associated with an identifiable individual, created/received/maintained by a covered entity (healthcare provider, health plan, clearinghouse) or their business associates. Includes: diagnoses, treatment records, prescriptions, lab results, mental health records, health insurance info, and payments for healthcare services. PHI is a subset of PII β€” it is PII in a health context. The payment record for a healthcare service is PHI even though it looks financial. HIPAA requires access controls, audit logs, encryption in transit, and mandatory breach notification.
Proprietary Data
Tap to reveal
Data that belongs exclusively to the organization β€” created by the organization, owned by the organization, and not publicly available. As a classification label, "Proprietary" means: do not disclose outside the organization. Includes trade secrets (most sensitive subset), internal processes, proprietary software and algorithms, R&D findings, business strategies, customer lists, and pricing models. Value comes from exclusivity β€” disclosure reduces competitive advantage. Security focus: confidentiality controls to prevent unauthorized external disclosure. Insider threat is the primary risk.
Human-Readable vs. Non-Human-Readable Data
Tap to reveal
Human-readable: directly understood by a person with no tools β€” plain text, emails, documents. Security implication: exposure is immediately impactful; anyone who sees it understands it. Non-human-readable: requires tools to interpret β€” barcodes, binary files, encrypted ciphertext. Security implication: format does NOT provide security β€” the data still requires protection regardless of format. Non-human-readable is not inherently more secure. Hybrid (CSV, XML, JSON): both human and machine interpretable β€” opens in any text editor; common in bulk data breaches. Format β‰  protection.
Sensitive (Classification Level)
Tap to reveal
The baseline non-public classification for data that requires controlled handling β€” including intellectual property, PII, PHI, and internal business data that should not leave the organization. Controls: access limited to employees with need-to-know; encryption required for storage and transmission; access monitoring and audit logging; covered by DLP policies. The default classification for most internal data. Primary security concern: confidentiality β€” prevent unauthorized external disclosure.
Confidential vs. Private/Classified/Restricted
Tap to reveal
Confidential: highly sensitive data requiring explicit individual authorization for access β€” executive communications, M&A plans, legal negotiations, unreleased financial results. Higher bar than Sensitive: users must be specifically approved; not default access based on role. Private/Classified/Restricted: data accessible only to formally vetted individuals, often requiring NDA signing or security clearance. Government "classified" = formal legal classification (Confidential, Secret, Top Secret) with criminal penalties. Corporate "restricted" = trade secrets and highly sensitive assets requiring formal access vetting. Both are confidentiality-focused β€” who can see this at all?
Critical (Classification Level)
Tap to reveal
The only classification level where availability β€” not confidentiality β€” is the primary security concern. Critical data must remain continuously accessible for organizational operations; unavailability causes immediate operational harm. Examples: real-time operational databases, authentication systems, emergency communications, financial trading systems. Security controls driven by this classification: redundancy, clustering, failover, geographic distribution, tested disaster recovery, SLA monitoring. Critical data can also carry confidentiality requirements, but it is the availability requirement that makes it "critical." Exam key: if the scenario asks about unavailability causing harm β†’ Critical classification.