Data can be traditionally grouped under three categories based on their criticality. They are as follows:
Compromising any of the preceding data will have adverse impacts on corporations. Additionally, risk factors, such as employee behavior, customer treatment, and financial controls, will also have an effect on organizations.
Data, whether it is PII, IP, or NPI, can exist in three states. Protection requirements in each of the three states may vary based on the type and classification of the information.
The three states in which a data can exist are as follows.
This refers to information as it moves around the organization. Examples include e-mail, FTP, and messaging:
Data protection strategies for such information include the following:
This refers to the information that is stored within the organization. Examples include information stored in a file server and shared locations and information in databases:
Data protection strategies include secure access controls, the segregation of duties, and the implementation of need to know mechanisms for sensitive data.
This refers to information that is used by staff, as in laptops or portable devices, and information that is being printed or copied to a USB stick. This is the data available in endpoints.
Data security controls for data in use would include port protection and whole disk encryption. Controls against shoulder surfing, such as clear screen and clear desk policies, are also applicable to data in use controls: