Skip Over Navigation Links
Interface Online Center for Information Technology (CIT)
Search Interface Issues:

March 4, 2002 [Number 222]     Printable Version Printable version (469k PDF)

Index

Previous Story

Next Story

Categorizing Data Sensitivity for Computer Security

Better to be despised for too anxious apprehensions, than ruined by too confident security.
Edmund Burke

The following material on computer security is adapted from the NIH Computer Security Awareness Training Webpage.

http://irm.cit.nih.gov/sectrain/infosb.html

Computer security efforts are based on the need to protect sensitive information in applications and critical data processing capabilities such as facilities, computers, networks and applications. The DHHS Automated Information Systems Security Program (AISSP) Handbook gives us guidelines for determining security level requirements based on:

  • sensitivity of data—the need to protect data from unauthorized disclosure, fraud, waste, or abuse
  • operational criticality of data processing capabilities—the ramifications if data processing capabilities were interrupted for a period of time or subject to fraud or abuse

This article provides an overview of data sensitivity. Information on "criticality levels"—how loss of data at those levels would affect the ability of NIH to accomplish its mission—can be found on the Web.

The system manager determines the security level, based on consideration of both the sensitivity of data and criticality of the information system. The security level is used to develop the requisite safeguards that will be required to adequately protect the system. Users are responsible for following the safeguards associated with the systems they use.

All NIH data has some degree of sensitivity, even data that is intended for unrestricted access by many and varied individuals and groups. Also, NIH is so dependent upon computers and networks that these capabilities are considered critical to some degree, otherwise resources would not be applied to managing them. Below are examples of sensitive information:

  • drug formulas
  • grant applications and pre-contract award information
  • ongoing confidential research
  • performance review information for NIH personnel
  • patient records
  • personnel records
  • identification of individuals who are barred from receiving federal contracts
  • arrest/crime records at NIH
  • information regarding funding and budgets

Levels of Data Sensitivity

Sensitivity levels are determined by the type of information in an automated system. Level 1 applies to information with the least amount of sensitivity and Level 4 applies to information with the greatest amount of sensitivity.

  • Level 1—Low Sensitivity

    Information at this level requires a minimal amount of protection. This level includes information that is considered to be in the public domain, such as employee locator files. At this level, any disclosures could be reasonably expected not to have an adverse effect. But remember that all information is important, otherwise it would not be collected.

    Unintentional alteration or destruction is the primary concern for low sensitivity information.

  • Level 2—Moderately Sensitive

    Level 2 or Moderate Sensitivity includes data that are important to NIH, and therefore must be protected against acts that are considered to be malicious and destructive. However, disclosure problems are usually not significant since this type of data is often collected for analytical reasons.

    This level includes information that pertains to workload, staffing, correspondence, memoranda, and other document files whose release or distribution outside the federal government and/or within NIH needs to be controlled. Access to Level 2 data needs to be restricted only to a limited degree. The data must be protected from unauthorized alteration or modification due to its value to the organization; however, it may be disclosed in some format eventually.

    Moderately sensitive data can include information that must be protected to meet Privacy Act requirements. At this level, unauthorized disclosures could cause embarrassment to an individual.

  • Level 3—High Sensitivity

    Everyone at NIH should be most aware of the protection requirements for Level 3 or High Sensitivity information. This level covers the most sensitive information at NIH and requires the greatest security safeguards at the user level.

    This data could include computerized correspondence and document files that are regarded as highly sensitive and/or critical to an organization, and therefore must be protected from unauthorized alteration, modification, and/or premature disclosure; proprietary information that has inherent informational value, such as drug formulas, trade secrets, and early research findings; financial data that is used to authorize or make payments to individuals or organizations; clinical trial data; grant application review data; automated systems or records subject to the Privacy Act for which unauthorized disclosure would constitute a clearly unwarranted invasion of personal privacy.

    Highly sensitive data must be protected from unauthorized disclosure.

  • Level 4—High Sensitivity and National Security

    This level of data does not apply to NIH.

The important thing to remember about sensitivity levels is that you must take active steps to protect all sensitive data/information. If you are not familiar with the specific safeguards required with your systems, contact your local IT staff, ISSO, or the TASC help desk [301.594.6248] for assistance. The ISSO roster is located on the Web.

More Information

The Web site provides a large amount of information, including details of the Computer Security Act of 1987, the Privacy Act of 1974, and the AISSP Handbook.
 
Published by Center for Information Technology, National Institutes of Health
Interface Comments |  Accessibility