Summary Information

The purpose of this document is to provide:

Purpose of the - A mapping of data elements to data categories as determined by regulatory requirements
document - A template to create a data inventory for each agency's assets
- Documentation of data categories from identified assets

1. Categorizations - contains definitions for each data category and sensitivity level, including e
Worksheet Summary 2. Data Classification Model - contains the mapping of sample data elements to regulatory req
3. Data Inventory - contains a template to use when creating an inventory of data located on th

Instructions

1. Review the Categorizations tab to learn the definitions and examples of the different categor
2. Review the Data Classification Model tab to familiarize with the mapping of sample data ele
3. (Required) On the Data Inventory tab, complete the Asset Information section. Refer to the C
appropriate input for each identified asset.
Instructions
4. (Recommended) On the Data Inventory tab, identify data categories that are present in an ag
Model tab as a guidance for determining what category different data elements belong to.
5. (As Needed) On the Data Class Model tab, add additional Data Elements, the Category of th
associated federal or state mandates/laws that are not currently captured in the template.
Information

by regulatory requirements

and sensitivity level, including examples

data elements to regulatory requirements for protection
inventory of data located on the servers

uctions

xamples of the different categorizations, sensitivity levels, and asset information.

he mapping of sample data elements to regulatory requirements for protection.
ormation section. Refer to the Categorizations tab as a guidance for determining

egories that are present in an agency's assets by using an X. Use the Data Classification
data elements belong to.
ta Elements, the Category of the Data Element, Sensitivity of the Data Element and
captured in the template.
 Data Categories

Special Handling PII

Protected Health
Information

Sensitive PII

Personal Information
Regulated Data

Third Party
Information

Geographic
Information

Contract Information
 Data Categories

Special Handling PII includes extremely sensitive personal data, often of a confidential
or protected nature. This category comprises information that, if exposed or misused,
can lead to identity theft, financial fraud, medical privacy breaches, or other significant
harm to individuals. Example Social Security numbers, financial account numbers,
medical records, biometric data.

PHI includes individually identifiable health information that is created, received,

stored, or transmitted by a covered entity (e.g., healthcare provider, health plan) or
their business associates. It encompasses various data categories, including:Patient
names,Medical diagnoses,Treatment histories,Test results,Prescription
records,Health insurance information

Sensitive PII encompasses personal information that, if disclosed or misused, can lead
to serious consequences for individuals, such as identity theft, financial fraud,
personal safety risks, or privacy violations. Example Social Security numbers, financial
account numbers, medical records, biometric data, and other highly confidential
information.

Personal information includes a wide range of data categories related to individuals,

such as:Names,Addresses,Phone numbers,Email addresses,Social Security
numbers,Date of birth,Financial information (e.g., bank account
numbers),Identification numbers (e.g., driver's license)
Biometric data (e.g., fingerprints)
 Regulated data encompasses various categories of information that are subject to
specific regulations. These categories can include Personal Identifiable Information
(PII), Protected Health Information (PHI), financial data, trade secrets, and more.

Third-party information encompasses a diverse range of data categories, including

personal data (e.g., names, addresses, contact information), financial data (payment
details, banking information), transaction data, contractual information, and any other
data associated with external entities.

Geographic information includes data related to the Earth's surface, such as

coordinates (latitude and longitude), maps, topographical details, addresses, postal
codes, landmarks, and geospatial data layers (e.g., land use, transportation networks).

Contract information encompasses various data categories related to contracts,

including:Contract terms and conditions,Parties involved (e.g., names and contact
information),Contract values and payment details,Contract duration and renewal
dates,Legal clauses and obligations
Amendments and revisions
 Access
Access Controls: Implement robust access controls,
such as role-based access control (RBAC) and multi-
factor authentication (MFA), to ensure that only
authorized personnel can access this data.
Restricted Access: Access to PHI should be strictly
controlled and limited to authorized individuals with
a legitimate need to access it for healthcare
operations, treatment, payment, or other permissible
purposes.Role-Based Access Control (RBAC):
Implement RBAC to ensure that individuals access
only the specific PHI required for their roles.
Restricted Access: Access to Sensitive PII should be
strictly controlled and limited to authorized
individuals who have a legitimate need to access it
for authorized purposes.
Access Control: Access to personal information
should be controlled and restricted based on job
roles and responsibilities within an organization. Only
authorized personnel should have access.
Shared
Data Sharing Agreements: Establish formal
agreements with external parties (e.g., business
associates, vendors) to ensure they handle the data
securely and in compliance with relevant regulations.
Minimum Necessary Standard: PHI should be shared
with individuals or entities only to the extent
necessary to accomplish the intended purpose.
Implement the minimum necessary standard to
restrict unnecessary disclosure.
Need-to-Know Basis: Limit sharing of Sensitive PII to
individuals or entities who require it for their job
responsibilities or specific authorized purposes.
Consent: When sharing personal information,
organizations often require consent from the data
subject unless sharing is necessary for a legitimate
purpose (e.g., providing a requested service or
complying with legal obligations).

Authentication and Authorization: Implement strong
authentication methods and role-based access
control (RBAC) to ensure that only authorized
personnel can access regulated data.Access Control:
Access to regulated data should be restricted and
limited to authorized individuals based on their roles
and the specific permissions they need to perform
their tasks.
Access Control: Access to third-party information
should be restricted and granted only to authorized
individuals based on their job roles and
responsibilities within the organization.
Access Control: Access to geographic information
should be controlled and restricted based on job
roles and responsibilities within the organization.
Access should be granted only to authorized
individuals.
Access Control: Access to contract information
should be controlled and restricted based on job
roles and responsibilities within the organization.
Access should be granted only to authorized
individuals who need it for legitimate business
purposes.
Data Sharing Agreements: Organizations handling
regulated data often establish formal agreements
with external parties (e.g., vendors, business
associates) to define how data will be shared and
protected.Data Minimization: The sharing of
regulated data should adhere to the principle of data
minimization, meaning that only the minimum
necessary information should be shared for a specific
purpose or task.
Need-to-Know Basis: Limit sharing of third-party
information to individuals or entities who require it
for legitimate business purposes, such as customer
support, vendor relationships, or compliance.
Data Sharing Agreements: Establish formal
agreements, especially when sharing geographic data
with external parties, to outline the scope of data
sharing, permitted uses, and data protection
measures.
Need-to-Know Basis: Limit sharing of contract
information to individuals or entities with a legitimate
need to know, such as legal counsel, procurement
teams, or contract managers.
 Format
Encryption: Data in this category should be encrypted
both in transit and at rest to protect it from
unauthorized access. Masking: Consider data
masking or tokenization to limit the exposure of
sensitive information, even to authorized users.
Encryption: PHI should be encrypted both in transit
and at rest to protect it from unauthorized access or
data breaches.Data Masking: In some cases, PHI may
be partially or fully masked to reduce the risk of
exposure while still allowing authorized users to
perform their duties.
Encryption: Sensitive PII should be encrypted both in
transit and at rest to protect it from unauthorized
access or data breaches.
Structured and Unstructured Data: Personal
information can exist in structured formats (e.g.,
databases) or unstructured formats (e.g., text
documents, emails, images).
Retention
Retention Policies: Define specific retention periods
for Special Handling PII based on legal and regulatory
requirements. Delete or securely dispose of data
once it's no longer needed.
Retention Policies: Establish and adhere to retention
policies for PHI, taking into account both legal and
operational requirements.Secure Disposal: When PHI
is no longer needed, it should be securely disposed of
or de-identified to prevent unauthorized access.
HIPAA defines specific methods for secure PHI
disposal.
Retention Policies: Establish data retention policies
that specify how long Sensitive PII will be retained,
taking into account legal, regulatory, and operational
requirements.
Secure Disposal: When personal information is no
longer needed, it should be securely disposed of to
prevent unauthorized access. Secure disposal
methods can include shredding physical documents
and secure data deletion for digital records.
Encryption: Regulated data, especially when in transit Retention Policies: Organizations must develop and
or at rest, should be encrypted to protect it from adhere to data retention policies that specify how
unauthorized access or breaches. Encryption ensures long regulated data should be retained. These
that even if data is intercepted, it remains unreadable policies should align with the requirements of the
without the appropriate decryption keys.Data applicable regulations.Secure Disposal: When
Masking: In some cases, data masking may be used regulated data is no longer needed or reaches the
to partially or fully conceal sensitive information end of its retention period, it should be securely
within regulated data while still allowing authorized disposed of or archived in a compliant manner to
users to work with it. prevent unauthorized access or data breaches.

Data Standardization: Standardize data formats and Retention Policies: Define data retention policies for
structures to ensure consistency and facilitate third-party information, considering legal
integration and analysis when dealing with third- requirements, contractual obligations, and business
party data from different sources. needs. Retain data only for as long as necessary.

Geospatial Formats: Geographic information can be Archiving: For historical geographic data that must be
stored in various geospatial formats, including
retained, consider archiving strategies to ensure long-
Geographic Information System (GIS) files, shapefiles,
Keyhole Markup Language (KML), and more. term preservation and accessibility.

Retention Policies: Develop and adhere to data

Contract Management Systems (CMS): Consider
retention policies that specify how long contract
using contract management software or CMS to
information will be retained. Retention periods may
organize, store, and manage contract information
vary based on legal, regulatory, and business
efficiently.
requirements.
 Risks / impact

Identity Theft: Unauthorized access to Special Handling PII can

lead to identity theft, where malicious actors impersonate
individuals for financial gain.Financial Fraud: Financial account
numbers and related data can be used for fraudulent transactions
and theft.Medical Privacy Breaches: Exposure of medical records
can lead to privacy violations, discrimination, and medical identity
theft.Legal Consequences: Mishandling Special Handling PII can
result in severe legal and regulatory penalties, as well as
reputational damage to organizations.

Privacy Breaches: Unauthorized access to or disclosure of PHI can

lead to privacy breaches, which may result in legal penalties and
reputational damage.Identity Theft: Stolen medical information
can be used for medical identity theft, resulting in financial losses
and compromised healthcare records.Legal Consequences: Non-
compliance with HIPAA can lead to severe legal consequences,
including fines and criminal charges.

Identity Theft: Unauthorized access to Sensitive PII can lead to

identity theft, where malicious actors impersonate individuals for
financial gain.Financial Fraud: Stolen financial account numbers
can be used for fraudulent transactions and theft.

Privacy Breaches: Unauthorized access to personal information

can result in privacy breaches, identity theft, and financial
losses.Reputation Damage: Mishandling personal information can
damage an organization's reputation and erode trust with
customers and stakeholders.
Legal Consequences: Non-compliance with relevant laws and
regulations can result in legal penalties, fines, and damage to an
organization's reputation.Data Breaches: Mishandling regulated
data can lead to data breaches, identity theft, and financial fraud,
causing harm to individuals and organizations.Loss of Trust: Data
breaches and regulatory violations can erode trust among
customers, clients, and stakeholders.

Data Privacy Violations: Mishandling third-party information can

result in data privacy violations, which may lead to legal
consequences, financial penalties, and reputational damage.

Environmental and Urban Planning: Inaccurate or mismanaged

geographic data can lead to suboptimal decision-making in areas
such as urban planning and environmental conservation.

Legal and Financial Risks: Mishandling contract information can

lead to legal disputes, breaches of contract, and financial
losses.Data Breaches: Unauthorized access to contract information
may result in data breaches, intellectual property theft, or the
exposure of sensitive terms and conditions.
 Control measures

Data Classification: Clearly label and classify Special Handling PII to

ensure that it receives the highest level of protection.Data Loss
Prevention (DLP): Implement DLP solutions to monitor and
prevent unauthorized data transfers or leaks.Security Awareness
Training: Provide ongoing training and awareness programs to
educate employees about the importance of handling Special
Handling PII securely.

HIPAA Compliance: Implement comprehensive HIPAA compliance

programs that include policies, procedures, and employee
training.Security Audits: Regularly audit and assess security
controls and practices to ensure compliance and the safeguarding
of PHI.Data Encryption: Use strong encryption protocols to protect
PHI during transmission and storage.

Data Classification: Clearly label and classify Sensitive PII to ensure

that it receives the highest level of protection.Data Loss
Prevention (DLP): Implement DLP solutions to monitor and
prevent unauthorized data transfers or leaks.

Data Protection Policies: Establish comprehensive data protection

policies and procedures to ensure the responsible handling of
personal information throughout its lifecycle.
Compliance Programs: Establish and maintain comprehensive
compliance programs that include policies, procedures, and
ongoing monitoring to ensure regulated data is handled in
accordance with applicable regulations.Security Measures:
Implement robust data security measures, such as encryption,
access controls, and data loss prevention (DLP) solutions, to
protect regulated data.Data Audits and Assessments: Conduct
regular audits and assessments of data handling practices to
identify vulnerabilities and areas for improvement.

Data Governance: Establish a robust data governance framework

that includes policies, procedures, and data stewardship practices
for handling third-party information.

Data Encryption: Ensure that geographic data is encrypted when

transmitted or stored, especially when shared over networks or
stored in the cloud.

Contract Management Processes: Establish and follow robust

contract management processes to ensure the proper handling of
contract information from creation to execution and
storage.Access Logs and Audits: Maintain access logs and conduct
regular audits to monitor who accesses contract information and
when.
 Sensitivity Level Asset Information

Data elements that are

Confidential privileged under the Right-to- Asset Type
Know Act.

Data elements that are not

privileged under the Right-to-
Know Act, but are highly
Restricted Name
sensitive and should not be
released as they may cause
harm to an individual.

Data elements that are not

privileged under the Right-to-
Internal Know Act, but release would not IP Address
require notification or cause
individuals drastic harm.

Data elements that are made

readily available to the public
Public Type
through websites or other
modes of publication.
Environment

Application(s)

Location

"C" data
(SEC019)
Asset Information
 Data Element Category

SSN - Social Security Number

Federal Tax Withholdings
TIN - Taxpayer Identification Number
Criminal History
Credit Card Number
Medical History
Parent No.
Contract No.
Commodity Specialist
Bid Opening Date
Procurement No.
Elevation
Childcare Facility Address
Vendor Phone Number
First Name
Last Name
Middle Name
Email Address
Address
Phone Number
Date of Birth
Place of Birth
Gender
Age
ZIP Code
PIN - Personal Identification Number
PAN - Primary Account Number / Account
Number
Personally Identifiable Financial Information
SSN - Social Security Number
Drivers License Number
Tax Identification Number
Subscriber Identification Number
Student Identification Number
Credit Card Number
Debit Card Number
Mother's Maiden Name
Name of Parents/Family Members
Institution Attended
Major Field of Study
Grade Level
Degree
Awards
Enrollment Status
Dates of Attendance
Photograph
Race
DNA Sequence
Character/ General Reputation/ Personal
Characteristics
Facial Characteristics
Handwriting
Finger Prints
Voice Prints
Criminal History
Nonpublic Personal Information
Card Validation Codes / Values
Cardholder Data - Full magnetic stripe
Cardholder name
Expiration date
Access Code
Security Code
Password
Income
Credit Score
Credit Standing
Credit Capacity
Account History
Consumer’s Credit Worthiness
Mode of Living
Genetic Marker
Genetic Testing Information
Private Satellite Video Communication
Wired Communication
Oral Communication
Electronic Communication
Telephone Conversations
Email Communication
Motor Vehicle Title
Motor Vehicle Registration
Medical Information
Health Insurance Policy Number
Individual's Medical History
Individual's Mental Condition Information
Individual's Physical Condition Information
Medical Treatment or Diagnosis Information
Patient Account Number
Medical Record Number
Biometric Records
Retina and Iris Patterns
Payment of Health Care Provisions
Disability Code
Diagnosis Report
Health Plan Beneficiary
Health Plan Insurance Premium
Health Services provided
Insurance Carrier
Medical Condition/Disability Description
Medical License Number
Medicaid Provider ID
Policy Group Number
Service Code
Complete Track Data
PIN Blocks
Transaction Data
Unique Identifier
Individual's Application and Claims History,
Including any Appeals Records.
Billing Information at the Clinic
Telephone Listing
Weight of Members
Height of Members
Educational Agency
Participation in Officially Recognized Activities and
Sports
Geographic Indicators
Demographic Information
State Tax data
Driver’s license
EBT card number
FEIN
Financial account number
Medicare Claim Number
Medicare ID
Passport Number
State Identification Number
Account Number
Alias
Appellation Code
Application Name
Application Number/e-form number
Application Registration Number
Area Code
Barcode Number
Birth place (country/state/city)
Case Number
Case Record Name
Case Record Number
Caseload Number
Check Number
CHIP Contractor Code
CIS Application Number
CIS Record Number
City
City Township
Civil Subdivision
COMPASS Individual Number
Community Based Organization Name
Community Partner Organization ID
Community Partner User ID
County
County Code
Court Name/Court order number
District Office
DoB
Doctor/Clinic/Nursing facility Address
Doctor/Clinic/Nursing facility Name
Document ID
Date of Death
Employer Address
Employer Contact Phone Number
Employer Identifier
Employer Name
Employer Sequence Number
Fax Number
FFM Individual Number
Funeral Home name
Group Number
Heating Provider Account Number
Home Phone Number
Household Disability Indicator
Household Number
Income/Gross
Income/Monthly Income
Individual Number
Insurance Address
Insurance Provider/Insurance Company Name
Internet Protocol Address
Language
Latitude
Legal Entity - Service Location
Longitude
Maiden Name
Marital Status
Master Provider Index Number
MCI Number
Medical Provider information (name, address,
phone number)
Middle Initial
Name of Financial Institution
Name of Organization of Sponsor
Notice ID
Notification Identifier
Parole Number
Passport Expiration date
Pay Rate
Payment Name
Payment Number
Phone Extension
Place of Birth
Place of parole/probabtion
(state,county,jurisdiction)
Policy ID
Policy Number
Prisoner Number
Provider Address
Provider M.A.I.D Number
Provider Name
Provider Number
Provider Phone
Realtor Name
Realtor Phone Number
Record Number in Upload File/Record Number
Ref#
Reviewer's User ID
School Building Name
School Code
School County Code
School District
School District Code
School Name
Screening Number
Second Last Name
SNAP or TANF case number
Sold Property Description
SSA Verification Identifier
State
Suffix
TANF Case Number
Target System Application ID
Target System Individual ID
Third Person Contact
Third Person Phone
Tribe State
UFI Number
User Hint Answer
User Hint Question
User Identity of the Community Partner
User Identity of Sponsor
User Logon ID
Username identifier
Vehicle Information (Year,make and model)
Veteran Claim Number
Wage
Web Application Number
ZIP Extension
Alien Registration Number
Citizenship Code
Citizenship
Citizenship Status
Country of Origin
Criminal convictions
Drug and alcohol abuse information
Health/ Sexual orientation
I551 Card Number
I94 Document Number
Non citizen Registration ID
Offenses
Party Affiliation
Racial/ Ethnic origin
Religious/ Philosophical beliefs
Trade-union membership
Tribe Name
Voter ID number
Unearned Income
 ACA - Patient ECPA -
Protection ADA - COPPA - Electronic FERPA - The
and Americans Children's Communicati Family
Sensitivity Affordable with Online ons Privacy Educational
Care Act of Disabilities Privacy Act 18 Rights and
2010, Section Act Protection Act U.S.C. §§ Privacy Act
1561 2510-2521
HIPAA - Health
BPINA -
Health Information
SSA - Social Breach of Federal
Insurance e- Technology
Security Personal Driver's Privacy Act of
Portability Government for Economic
Administratio Information Privacy 1974
and Act of 2002 and Clinical
n Notification Protection Act
Accountability Health Act of
Act
Act 1996
 CMS -
Centers for
Medicare and Federal
Commonweal DPW IT Medicaid Trade
th of security Services Commission
Patient Safety
USA Patriot Pennsylvania incident Information PCI DSS - PCI Standards for
and Quality
Act - Title III Electronic reporting Security (IS) Data Security Safeguarding
Improvement
Section 326 Information policy Acceptable Standard Customer
Act of 2005
Privacy Policy (POL_ENss0 Risk Information
(ITV-PRV001) 02) Safeguards Final Rule 16
(ARS) – CFR Part 314
Moderate
level.
 Federal Federal
CJIS - Trade Trade
IRS - Internal Title V -
Criminal Commission Commission
Revenue Confidential FTC Health
Justice NIST Special Affiliate Privacy of
Services , Information Breach
Information Publication Marketing Consumer
publication Protection Notification
System - 800-53 Rule Final Financial
1075 (August and Statistical Final Rule
Security Rule 16 CFR Information
2010). Efficiency
Safeguards Parts 680 and Final Rule 16
698 CFR Part 313
HHS-Breach
Notification
for
Unsecured
Protected
Health
Information;
Interim Final
Rule 45 CFR
Parts 160 and
164
 Asset Information *REQUIRED* Category *RECOMMENDED*
# Asset Type Name IP Address Type Environment Application(s) Location "C" data (SEC019) Special Handling PII Personal Information Sensitive PII Protected Health Regulated Data Third Party Geographic Contract
Information Information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30