This lesson defines sensitive information and describes basic procedures for the proper control, storage and destruction of sensitive information. You will learn about two main topics:
What Is Sensitive Information?
Protecting Sensitive Information
2 / 12
Section Objective
By the end of this section, you will be able to define sensitive information and recognize how to identify and categorize information.
Topics
Defining Sensitive Information
Types of Information
Identifying Information
3 / 12
Sensitive information is information that should be shared only with select groups or individuals who have appropriate authorization or permission. If sensitive information is compromised, it could cause serious harm to the organization or individual who owns it.
On the next page, you will consider examples of sensitive information that you may work with at your job.
4 / 12
***l p***r What information do you work with at your job that may be considered sensitive?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Type your answer in the space provided, then click Submit to learn about sensitive information others work with.***l /i***r ***l /p***r ***l br/***r ***l p***r I work in a call center for insurance claims. When I take a call, I have to pull up the person's claim, which has personal medical information in it. It also has the claimant's social security number, address and phone number. In some situations, I even deal with billing, which means I see credit card and bank account information. ***l /p***r ***l br/***r ***l p***r I am the manager of a bookstore and have 10 employees. I handle all their payroll information, including social security numbers, tax forms and bank routing numbers. I also handle customers' credit card information, sales receipts and passwords and override codes for all of the point of sale systems. ***l /p***r ***l br/***r ***l p***r I am an administrative assistant at a pharmeceutical company. Every day I use company email distribution lists and internal phone numbers, and I occassionally send out company-wide messages that contain information on our strategic vision, sales numbers and even drugs coming up in our pipeline. ***l /p***r ***l br/***r ***l p***r I also handle a lot of logistical tasks, so I have access to wireless passwords for our conference rooms, codes to unlock secure entrances and even departmental credit card numbers.***l /p***r ***l br/***r QuestionClick on each person to learn about the sensitive information they encounter at work.Please enter an answer.Type HereSubmit
5 / 12
***l p***r Many organizations categorize sensitive information according to the risk to their business if compromised. Be sure to understand your organization's policies.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click on each term to learn more about common categories used for sensitive information.***l /i***r ***l /p***r ***l br/***r ConfidentialConfidential information is the most sensitive type of information. Compromise could seriously and adversely affect an organization, its stockholders, its business partners and/or its customers.SensitiveSensitive information is less sensitive than confidential, but it could still have an adverse effect on an organization, its stockholders and/or its customers if compromised.PrivatePrivate information applies to personal information that is intended for use within a specific organization. Unauthorized disclosure could adversely impact the organization and/or its employees.PublicPublic information applies to all other information that does not clearly fit into any of the above three classifications. Unauthorized disclosure isn't expected to seriously or adversely impact the company. Nevertheless, release of this information usually must be authorized by the company.../assets/IntroductionInstructions
6 / 12
***l p***r Based on the information categories you learned about on the last page, how would you identify the following information examples?***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click Begin to start the activity. Then, match the information type to each example by dragging and dropping.***l /i***r ***l /p***r ***l br/***r ***l p***r Private***l /p***r ***l br/***r ***l p***r Internal organizational policies and procedures***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r Confidential***l /p***r ***l br/***r ***l p***r Customers' credit card information***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r Sensitive***l /p***r ***l br/***r ***l p***r Internal company audit reports***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r Public***l /p***r ***l br/***r ***l p***r Product brochure***l /p***r ***l br/***r ***l p***r Incorrect. Please try again.***l /p***r ***l br/***r ***l p***r What category does the sensitive information you work with fit in? What precautions do you take to make sure this information is protected?***l /p***r ***l br/***r ***l p***r Be sure to check the information security policy at your place of work.***l /p***r ***l br/***r ***l p***r ***l i***r ***l b***r Note:***l /b***r The naming and application of these categories may vary depending on the organization and its information security policy. Be sure you understand your organization's specific policy.***l /i***r ***l /p***r ***l br/***r ***l p***r ***l /p***r ***l br/***r sampleActivity: Understanding Security Categories ReturnYour Sensitive InformationInstructionsSubmitBegintrue
7 / 12
Section Objective
By the end of this section, you will recognize how to control, store and destroy sensitive information.
Topics
Protecting Sensitive Information Defined
Information Access
Electronic & Hard Copy
Destruction Methods
8 / 12
***l p***r Properly protecting sensitive information consists of three basic steps:***l /p***r ***l br/***r ***l p***r ***l li***r Control***l /li***r ***l li***r Storage ***l /li***r ***l li***r Destruction***l /li***r ***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click the forward arrow to step through the process of protecting sensitive information.***l /i***r ***l /p***r ***l br/***r ***l p***r ***l b***r Control***l /b***r means controlling what information is collected and/or stored by an organization. Access to any data that is collected and/or stored must also be controlled.***l /p***r ***l br/***r ../assets/boomgateopened.png***l p***r ***l b***r Storage***l /b***r means maintaining the security of any information stored by an organization, both in hard copy and electronic formats.***l /p***r ***l br/***r ../assets/warehouse.png***l p***r ***l b***r Destruction***l /b***r means destroying information when it is no longer needed. This process reduces the risk of compromise and the amount of information to secure.***l /p***r ***l br/***r ../assets/cut.pngIntroductionInstructionsFeedbackResume Activity
9 / 12
Controlling information requires regulating what information is collected or stored and who has access to that information. Information access is limited in two common ways:
Need-to-know policy
Access controls
Instructions
Roll over each item to learn more.
***l optionWidget***r ***l options***r ***l option***r ***l optionTitle***r Need-to-know policy***l /optionTitle***r ***l content***r ***l p***r A need-to-know policy denies access to information to anyone who does ***l u***r not***l /u***r need access in order to perform their jobs.***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l option***r ***l optionTitle***r Access controls***l /optionTitle***r ***l content***r ***l p***r Access controls consist of logical controls, enforced by a computer system and managed by an IT department, or physical controls, such as locked rooms and safes.***l /p***r ***l br/***r ***l /content***r ***l audio***r ***l /audio***r ***l /option***r ***l /options***r ***l /optionWidget***r ***l altTags***r ***l closeAlt***r ***l /closeAlt***r ***l instructAlt***r ***l /instructAlt***r ***l submitAlt***r ***l /submitAlt***r ***l playPauseAlt***r ***l /playPauseAlt***r ***l muteUnmuteAlt***r ***l /muteUnmuteAlt***r ***l replayAlt***r ***l /replayAlt***r ***l stepPrevAlt***r ***l /stepPrevAlt***r ***l stepNextAlt***r ***l /stepNextAlt***r ***l restartAlt***r ***l /restartAlt***r ***l /altTags***r
10 / 12
Organizations may store sensitive information in a wide variety of ways, which can pose challenges to information security goals. However, most storage methods fit into one of two broad categories, illustrated in the table below.
Category
Description
Electronic
Electronic information storage typically involves a database, file server or some form of computer system. Information may also be stored on laptops, thumb drives or other types of removable media.
Hard Copy
Hard copy information is stored in printed documents, receipts, file systems and even handwritten notes.
Regardless of which category your information fits into, it must be protected with proper controls and stored securely.
11 / 12
***l p***r Electronic and hard copy information require different destruction methods to maintain security.***l /p***r ***l br/***r ***l p***r ***l b***r Instructions***l /b***r ***l /p***r ***l br/***r ***l p***r ***l i***r Click on each method to learn more.***l /i***r ***l /p***r ***l br/***r Electronic destructionElectronic information is typically destroyed using automated deletion programs that search for and delete data once it has reached a certain age. Destruction of electronic data may also involve physical destruction of the storage media, such as CDs, DVDs or thumb drives.Hard copy destructionHard copy information is typically destroyed by shredding, pulping or incineration. Organizations often contract with vendors for hard copy destruction services.IntroductionInstructions
12 / 12
Congratulations! You have completed the Sensitive Information lesson. The Security Awareness Education (SAE) Portal tracks the completion of the lesson and unlocks the next lesson in the course.
To move on to the next lesson, click Exit in the top right navigation bar of this screen to return to the SAE Portal. Then, follow the directions you learned in the Course Navigation lesson to return to the Course Menu page, where you may select the next activity from the list.
