Data Classification Categories and Levels in Secure

To configure data classification settings navigate to the Settings tab, and click on "Policies".

Sensitivity Levels

Sensitivity level labels and high-risk indicators should be based on the org's "Data Classification & Handling Policy" to ensure consistency. It is critical that sensitivity levels be marked high-risk or not, so the protection of sensitive data can be properly assessed. If an org doesn’t have a "Data Classification & Handling Policy", Secure provides defaults that can be used. To create the default sensitivity levels, click Create Default Levels:

Three default levels can be used to implement security measures for protecting the data within an org. Each sensitivity level can be changed based on an org’s policy, including the name, description, icon, and whether it should be considered high-risk.

• Confidential: Data should be classified as Confidential when the unauthorized disclosure, alteration, or destruction of that data would cause a significant risk to the org or its affiliates. Confidential data includes data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to confidential data.
• Private: Data should be classified as Private when the unauthorized disclosure, alteration, or destruction of that data would cause a moderate risk to the org or its affiliates. Data that is not classified as Confidential or Public should be treated as Private. A moderate level of security controls should be applied to private data.
• Public: Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data could result in minor or no risk to the org and its affiliates. Public data includes press releases, product information, and marketing materials.

Note To reorder the list, drag and drop each item to the desired location

Use the New Level button to add custom levels to an org. This button adds a blank level to the list and requires manual entry for the name, description, icon, and risk level.

Note

If the New Level button is used, before adding defaults, the option to add defaults is no longer available. It is recommended that you add any default options before customization.

Compliance Categories

Compliance Categories can be used to add secondary tags to fields, highlighting the critical data being stored. A company’s “Data Classification & Handling” policy specifies that certain types of data, such as health records (HIPAA) or credit card information (PCI), be mapped to specific sensitivity levels. To create the default Compliance Categories built into Secure, click Create Default Categories.

Eight categories can be used for implementing regulation compliance for protecting the data within an org. Each can be edited to better suit the needs of an org, including the name, description, and icon.

• Personally Identifiable Information (PII): Any information about an individual that is maintained by your org, including information that can be used to distinguish or trace an individual's identity, such as a name, social security number, date, place of birth, mother's maiden name, or biometric records; and any other information that can be linked to an individual, such as medical, educational, financial, and employment information.
• Health Insurance Portability and Accountability Act (HIPAA): HIPAA establishes national standards to protect an individuals’ medical records and other health information. It also applies to health plans, health care clearinghouses, and health care providers that conduct electronic transactions.
• General Data Protection Regulation (GDPR): Personal data is any information that relates to an individual which can be directly or indirectly identified. Names, phone numbers, and email addresses are the most common forms of personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions may also be considered personal data.
• Payment Card Industry Data Security Standard (PCI DSS) is a standard for companies that handle or process customer payment data, like credit card numbers.
• Children's Online Privacy Protection Act (COPPA): Makes websites and services for children under thirteen years of age follow certain rules. These rules are especially important when they collect personal information on them.
• California Consumer Privacy Act (CCPA): Gives California consumers rights and control over their personal information. This includes the right to know, the right to delete, and the right to stop your organization from selling your personal information. It also protects minors from being hurt by your organization.
• Protected Health Information (PHI) is any information about your health, how you get health care, or how you pay for it. Your organization makes or collects this information and can link it to a specific person.
• Sarbanes-Oxley Act (SOX): Annual audits for public companies doing business in the US to set financial reporting standards. These standards include protecting data, tracking attempts to breach, recording electronic records for auditing, and showing compliance.

Note To reorder the list, drag and drop each item to the desired location

Use the New Category button to add custom categories to the org. This button adds a blank category to the list and requires manual entry for the name, description, and icon.

Note

If the New Category button is used, before adding defaults, the option to add defaults is no longer available. It is recommended that you add any default options before customization.