Professional Documents
Culture Documents
Insurance Company Dataset LS
Insurance Company Dataset LS
1. Categorizations - contains definitions for each data category and sensitivity level, including e
Worksheet Summary 2. Data Classification Model - contains the mapping of sample data elements to regulatory req
3. Data Inventory - contains a template to use when creating an inventory of data located on th
Instructions
1. Review the Categorizations tab to learn the definitions and examples of the different categor
2. Review the Data Classification Model tab to familiarize with the mapping of sample data ele
3. (Required) On the Data Inventory tab, complete the Asset Information section. Refer to the C
appropriate input for each identified asset.
Instructions
4. (Recommended) On the Data Inventory tab, identify data categories that are present in an ag
Model tab as a guidance for determining what category different data elements belong to.
5. (As Needed) On the Data Class Model tab, add additional Data Elements, the Category of th
associated federal or state mandates/laws that are not currently captured in the template.
Information
by regulatory requirements
uctions
egories that are present in an agency's assets by using an X. Use the Data Classification
data elements belong to.
ta Elements, the Category of the Data Element, Sensitivity of the Data Element and
captured in the template.
Data Categories
Protected Health
Information
Sensitive PII
Personal Information
Regulated Data
Third Party
Information
Geographic
Information
Contract Information
Data Categories
Special Handling PII includes extremely sensitive personal data, often of a confidential
or protected nature. This category comprises information that, if exposed or misused,
can lead to identity theft, financial fraud, medical privacy breaches, or other significant
harm to individuals. Example Social Security numbers, financial account numbers,
medical records, biometric data.
Sensitive PII encompasses personal information that, if disclosed or misused, can lead
to serious consequences for individuals, such as identity theft, financial fraud,
personal safety risks, or privacy violations. Example Social Security numbers, financial
account numbers, medical records, biometric data, and other highly confidential
information.
Access Controls: Implement robust access controls, Data Sharing Agreements: Establish formal
such as role-based access control (RBAC) and multi- agreements with external parties (e.g., business
factor authentication (MFA), to ensure that only associates, vendors) to ensure they handle the data
authorized personnel can access this data. securely and in compliance with relevant regulations.
Access Control: Access to personal information Consent: When sharing personal information,
organizations often require consent from the data
should be controlled and restricted based on job
roles and responsibilities within an organization. Only subject unless sharing is necessary for a legitimate
purpose (e.g., providing a requested service or
authorized personnel should have access.
complying with legal obligations).
Data Sharing Agreements: Organizations handling
Authentication and Authorization: Implement strong
regulated data often establish formal agreements
authentication methods and role-based access
with external parties (e.g., vendors, business
control (RBAC) to ensure that only authorized
associates) to define how data will be shared and
personnel can access regulated data.Access Control:
protected.Data Minimization: The sharing of
Access to regulated data should be restricted and
regulated data should adhere to the principle of data
limited to authorized individuals based on their roles
minimization, meaning that only the minimum
and the specific permissions they need to perform
necessary information should be shared for a specific
their tasks.
purpose or task.
Access Control: Access to third-party information Need-to-Know Basis: Limit sharing of third-party
should be restricted and granted only to authorized information to individuals or entities who require it
individuals based on their job roles and for legitimate business purposes, such as customer
responsibilities within the organization. support, vendor relationships, or compliance.
Access Control: Access to geographic information Data Sharing Agreements: Establish formal
should be controlled and restricted based on job agreements, especially when sharing geographic data
roles and responsibilities within the organization. with external parties, to outline the scope of data
Access should be granted only to authorized sharing, permitted uses, and data protection
individuals. measures.
Structured and Unstructured Data: Personal Secure Disposal: When personal information is no
longer needed, it should be securely disposed of to
information can exist in structured formats (e.g.,
databases) or unstructured formats (e.g., text prevent unauthorized access. Secure disposal
methods can include shredding physical documents
documents, emails, images).
and secure data deletion for digital records.
Encryption: Regulated data, especially when in transit Retention Policies: Organizations must develop and
or at rest, should be encrypted to protect it from adhere to data retention policies that specify how
unauthorized access or breaches. Encryption ensures long regulated data should be retained. These
that even if data is intercepted, it remains unreadable policies should align with the requirements of the
without the appropriate decryption keys.Data applicable regulations.Secure Disposal: When
Masking: In some cases, data masking may be used regulated data is no longer needed or reaches the
to partially or fully conceal sensitive information end of its retention period, it should be securely
within regulated data while still allowing authorized disposed of or archived in a compliant manner to
users to work with it. prevent unauthorized access or data breaches.
Data Standardization: Standardize data formats and Retention Policies: Define data retention policies for
structures to ensure consistency and facilitate third-party information, considering legal
integration and analysis when dealing with third- requirements, contractual obligations, and business
party data from different sources. needs. Retain data only for as long as necessary.
Geospatial Formats: Geographic information can be Archiving: For historical geographic data that must be
stored in various geospatial formats, including
retained, consider archiving strategies to ensure long-
Geographic Information System (GIS) files, shapefiles,
Keyhole Markup Language (KML), and more. term preservation and accessibility.
Application(s)
Location
"C" data
(SEC019)
Asset Information
Data Element Category