Chapter 68 Β· Tricks

Data Types and Classifications β€” Exam Tricks

The four concepts that trip up test-takers, plus a performance-based scenario practice set.

Trick 1
Critical classification = availability, not confidentiality. If the question is about data being unavailable or systems going down β€” Critical is the classification answer.

This is the most frequently missed classification question pattern. Students learn that classification levels protect sensitive data, so they associate classification with confidentiality β€” who can see this? But the Critical classification breaks that pattern: it is the only classification level where availability is the primary security concern.

The exam question trigger words for Critical classification:

  • "Must always be accessible" β†’ Critical
  • "Unavailability causes immediate operational disruption" β†’ Critical
  • "Downtime results in direct financial loss or harm" β†’ Critical
  • "Should always be available" (exact phrase from exam objectives) β†’ Critical
  • "Recovery time objective" or "high availability" concerns β†’ Critical

How Critical differs from every other level:

  • Public / Unclassified: primary concern is integrity (don't let anyone modify public content)
  • Sensitive, Confidential, Private/Restricted: primary concern is confidentiality (limit who can see it)
  • Critical: primary concern is availability (ensure it is always accessible)

The security controls that Critical classification drives:

  • Redundant storage (RAID, mirroring)
  • Database clustering and automatic failover
  • Geographic distribution (multiple data centers)
  • Tested backup and disaster recovery procedures
  • SLA monitoring with defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
  • Real-time replication to standby systems

The trap: Critical data can also require confidentiality controls β€” the two are not mutually exclusive. A real-time operational database can be both Critical (availability requirement) and Sensitive (contains PII). But the exam question will be testing whether you know that Critical = availability. If the scenario describes a system being down and asks which classification applies to the data it holds β€” the answer is Critical.

Real examples from the source material:

  • "Anything that is classified as critical is data that should always be accessible" β€” the exam objective definition
  • "We should create processes and procedures to maintain the uptime and availability to that data" β€” the controls driven by Critical classification
Critical classification = availability-first. The question "what happens if this data is unavailable?" identifies Critical data. All other classification levels ask "who can see this?" β€” Critical asks "can this always be accessed?" If the scenario involves downtime, outages, or business continuity for data β†’ Critical.
Trick 2
PHI is a subset of PII β€” all PHI is PII, but not all PII is PHI. The healthcare payment record IS PHI even though it looks like financial data.

PII vs. PHI questions have two failure modes: students either (1) think they are the same thing, or (2) think that financial data in a healthcare context is a financial issue, not a health issue. Both lead to wrong answers.

The PII/PHI relationship:

ALL DATA
└── PII (data that can identify an individual)
    β”œβ”€β”€ Name, SSN, email, address β€” general PII
    β””── PHI (PII in a healthcare context)
        β”œβ”€β”€ Medical records + patient identity
        β”œβ”€β”€ Treatment records + patient identity
        β””── Payment for healthcare services + patient identity

The payment record trap: A payment record at a grocery store is financial data. A payment record at a hospital is PHI. The healthcare context transforms it. Under HIPAA, "payment for healthcare services" is explicitly defined as PHI because it reveals that the person received (or sought) healthcare at a specific facility β€” which is itself protected health information. This catches test-takers who think "money = financial data only."

More PHI examples that look like other data types:

  • An appointment scheduling record β€” looks like calendar data. But appointment at a hospital = evidence of seeking healthcare = PHI.
  • A pharmacy prescription record β€” looks like a purchase record. But prescription = medication = health condition = PHI.
  • A photo taken during a medical procedure β€” looks like an image file. But clinical photo = health context = PHI.
  • An insurance enrollment record β€” looks like HR benefits data. But health insurance = health information = PHI.

PHI requires HIPAA compliance specifically:

  • Technical safeguards: access controls, audit logging, encryption in transit
  • Administrative safeguards: workforce training, risk assessments, Business Associate Agreements (BAAs) with vendors who receive PHI
  • Physical safeguards: workstation security, media disposal
  • Breach notification: notify affected individuals within 60 days; notify HHS; for breaches affecting 500+ individuals, notify HHS immediately and local media

PII without PHI: An employee's home address in an HR system is PII (it can identify the person) but not PHI (it is not health information and the employer is not a HIPAA-covered entity for HR purposes). A customer's email address in a retail loyalty program is PII but not PHI.

PHI = PII + healthcare context. All PHI is PII. PII is not always PHI β€” PHI requires the health-related element AND a covered entity. Healthcare payment records are PHI, not just financial data. The exam question that describes a hospital or healthcare provider handling patient data β†’ the answer involves PHI and HIPAA, not just "PII" or "financial information."
Trick 3
Trade secret = secrecy is the protection. Intellectual property = legal rights protect it even when publicly visible. The source code vs. compiled software distinction tests this.

Trade secret and intellectual property questions often appear together, and students conflate them. The key distinction is not about how sensitive the information is β€” it is about whether the protection mechanism requires secrecy or legal registration.

The core distinction:

  • Trade secret: Protection = secrecy. Must be kept confidential to retain value. No registration. No public disclosure. If the secret is exposed, protection is permanently lost. Duration: indefinite (as long as secret).
  • Intellectual property: Protection = legal rights (copyright, trademark, patent). Can be publicly visible. Rights are enforced through legal mechanisms, not secrecy. Duration: limited by law (copyright ~life + 70 years; patent ~20 years; trademark renewable).

The source code vs. compiled software example:

Compiled software product β†’ Intellectual Property (copyright)
  β†’ Publicly visible; customers use and see it
  β†’ Protected from unauthorized copying by copyright law
  β†’ Legal enforcement is the protection mechanism

Source code β†’ Trade Secret (AND potentially copyright)
  β†’ Not publicly distributed; kept confidential
  β†’ Reveals implementation algorithms and architecture
  β†’ If leaked, competitors gain the implementation details
  β†’ Protection depends on keeping it secret

The patent trade-off exam question: "A company invented a novel algorithm. They could patent it (public disclosure, 20-year exclusive rights) or protect it as a trade secret (permanent secrecy, no time limit, no disclosure required). Which offers longer protection?" β†’ Trade secret, IF the company can maintain secrecy. Patent protection expires; trade secret protection lasts indefinitely as long as it remains secret. This is why companies like Google have chosen not to patent the core of their search algorithm β€” they would rather maintain indefinite trade secret protection than get 20 years of patent protection at the cost of public disclosure.

The "publicly visible" test: If the information is meant to be seen by customers or the public, it cannot be a trade secret β€” you cannot maintain secrecy for something you intentionally distribute. A company logo printed on every product is IP (trademark), not a trade secret. An internal pricing formula known only to executives is a trade secret, not IP (no legal registration would cover it).

Trade secret = secrecy is the protection, not legal registration. IP = legal rights protect it even when public. If the question describes information that must stay hidden to have value β†’ trade secret. If the question describes information that is (or can be) public but still protected β†’ intellectual property. Source code = trade secret; compiled software sold to customers = IP. These can overlap β€” the same asset can be both IP and a trade secret.
Trick 4
Non-human-readable data is NOT more secure by default. Format β‰  protection. A barcode, a binary file, and encrypted data all still require the same security controls as their plaintext equivalents.

Students sometimes assume that if data "can't be read by a human," it is inherently safer than plaintext data. This is a security misconception with real consequences β€” and it appears in exam questions testing whether you understand that format provides no security benefit on its own.

Why non-human-readable β‰  secure:

  • Barcodes and QR codes: A barcode is not readable by a human glancing at it β€” but any barcode scanner app (free, on any smartphone) reads it in under a second. The data is not protected; it is merely encoded in a visual format. If a barcode encodes a credit card number or patient ID, that data is fully accessible to any attacker with a camera.
  • Binary files: A binary database file is not directly human-readable β€” but a database management tool reads it instantly. The data inside requires no special attack; just the right software, which is freely available.
  • Encoded data (Base64, etc.): Base64 encoding is not encryption. It is a reversible encoding that any developer tool decodes in one step. Encoding is not a security control.
  • Encrypted data: This is different β€” encryption with a strong key and proper implementation IS a security control. But the protection comes from the cryptography and key management, not from the fact that the data "looks like" random bytes to humans.

The hybrid format risk: CSV, JSON, and XML are the most dangerous formats for this misconception. Students sometimes think "JSON is technical, so it requires technical skills to read." It does not. Open any JSON file in a browser or text editor β€” it is fully human-readable with no tools required. A JSON export of a customer database containing names, emails, SSNs, and account numbers is as readable as a plain text file to anyone who opens it.

The real protection for non-human-readable and hybrid data:

  • Access controls: Limit who can access the file, database, or system that contains the data β€” regardless of format
  • Encryption: Encrypt the data at rest and in transit β€” the encrypted ciphertext provides actual protection (key management is the security challenge)
  • DLP policies: Detect and block unauthorized transfer of data files containing sensitive information β€” whether CSV, JSON, XML, or binary
  • Classification and handling: Apply the same classification label to a JSON file containing PII as to a Word document containing the same PII β€” format does not change the classification

The exam question pattern: "An analyst exports customer data to a JSON file and emails it externally because JSON is a 'technical format that non-technical people cannot read.' Is this a valid security justification?" β†’ No. JSON is a hybrid format readable in any text editor. The classification and protection requirements apply regardless of format. The format provides no security benefit without encryption and access controls.

Format β‰  security. Non-human-readable and hybrid formats (CSV, JSON, XML, barcodes, binary files) require the same classification-appropriate security controls as human-readable plaintext. The only format that provides actual security protection is encrypted data β€” and only when cryptography and key management are implemented correctly. "It's in JSON / it's a barcode / it's binary" is never a security justification on the exam.
Performance Task Practice
Three Scenarios β€” Apply the Concepts

Scenario A: A healthcare insurance company maintains the following datasets: (1) A real-time database of policyholder names, policy numbers, coverage details, and claim histories β€” queried by thousands of agents and automated systems every minute; (2) A spreadsheet of unreleased quarterly financial results prepared for the upcoming board meeting; (3) A proprietary actuarial model the company developed over 30 years that accurately predicts claim risk β€” this model is the company's primary competitive advantage and is not documented outside the company. Assign the most specific classification to each dataset and identify the primary security control that classification drives.

Show Answer

Dataset 1 β€” PHI + Regulated + Critical:

The policyholder database contains names + coverage details + claim histories = Protected Health Information (HIPAA applies to health insurance companies as covered entities). This is also Regulated data (HIPAA mandates specific safeguards). Additionally, it is Critical β€” "queried every minute by thousands of agents and automated systems" means that unavailability immediately disrupts all business operations. Dual critical + PHI classification means two parallel security investments are required: (1) Confidentiality controls for PHI compliance: access controls, audit logging, encryption, BAAs with vendors; (2) Availability controls for Critical: clustering, redundancy, failover, tested recovery procedures, SLA monitoring. The primary security controls are both β€” neither can be sacrificed for the other.

Dataset 2 β€” Confidential (and potentially Restricted):

Unreleased quarterly financial results for a board meeting are Confidential β€” requiring explicit authorization for access, limited to executives and board members, with severe consequences for premature disclosure (securities law violations for insider trading). This is higher than Sensitive because "for anyone at the company to see" is explicitly wrong β€” only the specific individuals named by the CFO/CEO should have access. Primary security control: strict individual access authorization, audit logging of all access, prohibition on emailing or transmitting the document outside approved secure channels. Not Critical β€” board members can wait a few hours if the spreadsheet is temporarily unavailable; that is inconvenient but not operationally disruptive in the same way the policyholder database is.

Dataset 3 β€” Trade Secret (and Proprietary/Restricted):

The actuarial model is a Trade Secret β€” its entire value comes from competitors not having it. It took 30 years to develop; a competitor with access to the model could immediately match or undercut the company's risk pricing. "Not documented outside the company" and "primary competitive advantage" are the definitional markers. Primary security controls: strict need-to-know access control (likely only a small team of actuaries); NDA requirements for anyone with access; DLP monitoring to detect attempts to copy or transmit the model files; insider threat monitoring; no public disclosure of the model's methodology. This is also Proprietary β€” owned exclusively by the company and not publicly available.

Scenario B: During a security audit of an e-commerce company, you discover: a database containing 2 million customer records in binary format; a CSV export of those same records sitting on a developer's desktop; and a JSON API response that includes session tokens and user IDs. The developer argues the binary database is "safe because no one can read it" and the CSV "is just a data file." Evaluate each claim and explain what protections are actually required.

Show Answer

Claim 1: "The binary database is safe because no one can read it"

False. The binary database format does not provide any security protection. A database management tool (MySQL Workbench, pgAdmin, SQL Server Management Studio) reads binary database files directly with no special skills required. Any attacker who gains file system access to the binary database file can attach it to a database engine and query it in minutes. The customer records (names, addresses, emails, payment histories) are fully accessible. Required protections: encrypted storage (the database files on disk should be encrypted so that file system access does not yield readable data), access controls limiting who can connect to the database engine, audit logging of all queries, and network security preventing unauthorized database connections. The binary format provides zero security benefit.

Claim 2: "The CSV is just a data file"

This is the most dangerous statement in the scenario. A CSV of 2 million customer records on a developer's desktop is a critical security finding. CSV is a hybrid format β€” it opens in Excel, Google Sheets, or any text editor with no tools or skills needed. The developer has created an unencrypted, portable copy of the organization's entire customer PII data set on a personal workstation that is likely not subject to the same controls as the production database. Violations this creates: (1) the production access controls do not apply to the local CSV copy β€” anyone with access to that laptop can open it; (2) the laptop may not be encrypted; (3) the laptop may be backed up to personal cloud storage, transmitting customer PII to a third party without authorization; (4) if the laptop is lost or stolen, all 2 million customer records are exposed. Required response: delete the CSV, investigate why the export was needed and whether a less complete export could have served the purpose (data minimization), implement DLP rules that prevent CSV exports of PII data sets to local devices, require that any authorized exports are encrypted.

JSON API response with session tokens and user IDs

JSON is a hybrid format β€” readable in any browser developer tools or text editor. Session tokens in a JSON response are authentication credentials β€” if intercepted or logged, they allow impersonation of the users whose tokens are exposed. User IDs combined with session tokens are PII. Required protections: (1) HTTPS (TLS) for all API traffic β€” without encryption in transit, JSON responses are visible to any network observer; (2) Session tokens should not be logged in application logs or transmitted unnecessarily; (3) Access logs that record full API responses should be considered sensitive because they contain tokens; (4) Session tokens should have short expiration times and be invalidated on logout. The JSON format provides no protection β€” the sensitivity of the data inside the JSON response is the only relevant factor.

Scenario C: A government contractor must classify the following information assets and implement appropriate controls. Classify each and describe the primary control requirement: (1) A report that summarizes publicly available information about a foreign government's published defense spending; (2) A detailed analysis of foreign intelligence collection methods, derived from classified sources, accessible only to cleared personnel; (3) The contractor's internal IT ticketing system that all employees use to request IT support β€” if it goes down, employees cannot submit IT issues; (4) A non-disclosure agreement template that the company gives to all new employees to review and sign.

Show Answer

Asset 1 β€” Public / Unclassified:

A summary of publicly available information from published sources is Public / Unclassified by definition β€” if the source material is public and the summary contains no analysis that reveals classified methods or conclusions, the document has no confidentiality requirement. Primary control: integrity β€” ensure the document accurately represents the public sources and cannot be tampered with to introduce false information. Note: if the summary were to include analysis that reveals how intelligence is collected or processed, it could become classified even if built entirely from public sources (the "mosaic effect" β€” analysis combining public data can reveal classified capabilities). In this scenario, it is described as a summary of published spending figures, so Public / Unclassified is appropriate.

Asset 2 β€” Classified (government) / Restricted:

Intelligence analysis derived from classified sources is government classified data β€” in the U.S., this would fall under the formal classification system (Secret or Top Secret, depending on the damage unauthorized disclosure would cause). Primary controls: security clearance required for access, need-to-know enforcement within cleared personnel, classified information system with SCIF (Sensitive Compartmented Information Facility) requirements if the sources are SCI-level, mandatory access logging, no transmission outside approved classified networks. Criminal penalties for unauthorized disclosure define this category. The NDA requirement is also present β€” cleared personnel sign non-disclosure and non-disclosure agreements as part of the clearance process.

Asset 3 β€” NOT Critical in this scenario:

The IT ticketing system does not meet the Critical classification threshold here. Critical data is data whose unavailability causes immediate operational harm β€” lost revenue, patient harm, transactions failing, emergency systems going down. If the IT ticketing system is down, employees cannot submit IT tickets. This is inconvenient but does not immediately halt business operations. Employees can email IT, call IT, or wait until the system is restored. This is a standard Sensitive internal system (contains employee names, IT issue descriptions β€” PII and internal data) but not Critical. Primary control: standard availability best practices (daily backups, recovery procedure), not the high-availability architecture that Critical data requires. Students should not over-classify systems β€” not every internal business system is Critical.

Asset 4 β€” Public / Unclassified (or Sensitive, depending on content):

An NDA template that is given to all new employees to review is not sensitive β€” it is a standard legal document that is intentionally shared broadly within the organization. The template itself does not reveal confidential information; it is the mechanism for protecting confidential information. If the NDA template is generic and standard, it can be classified as Public / Unclassified (or at most, Sensitive for internal use). Primary control: integrity β€” ensure the version employees sign is the authorized version and has not been altered. Version control and document management are the relevant controls. Note: a signed, executed NDA that reveals what specific projects or information an employee has access to would be Confidential (the signed document reveals the scope of an employee's classified access).