About Sensitive Data Classification

Classification Drives Appropriate Protection

Sensitive CHA data must be protected to prevent theft, unauthorized access, compromise, or inappropriate use (see Protect Sensitive Data). CHA's data classification levels are designed to help determine the minimum security requirements for protecting data. The level of protection is driven by legal, regulatory, academic, financial, and operational requirements, as well as the criticality and risk levels associated with the data.

Data classification:

• Provides a framework for managing and securing CHA-owned or institutional data assets.
• Helps determine what baseline security controls are appropriate for safeguarding data at each level. The higher the classification level, the more security controls are required.
• Allows users to identify, understand, better manage, and employ an appropriate level of security for CHA-owned data.

In classifying sensitive data, Cambridge Health Alliance:

• Uses a risk-based approach to help students, researchers, and staff identify the data they use, understand its level of sensitivity, and learn how to best secure it.
• Seeks to balance protection of the confidentiality, integrity, and availability of the data needed for CHA's academic mission, administrative, research, and clinical missions, while recognizing the need for collaboration and sharing of knowledge across the CHA system and it's affiliates.

See the Sensitive Data Guide for information about compliance requirements, and where to safely store sensitive data.

Roles and Responsibilities

CHA Data governance establishes decision rights with respect to CHA's data for the purpose of ensuring accountability, and defining processes and standards associated with their proper use.

CHA data stewards are primarily responsible for determining classification of data by category. It is important to account for federal and state laws and regulations that require CHA to apply certain security safeguards to various sensitive data categories. Widely adopted industry standards, such as those that apply to credit card payments, also create additional requirements to be followed.

CHA data creators and owners (for example, principal investigators, researchers, administrative units) are responsible for determining the classification level for their specific data set(s) based on the levels assigned by data stewards for specific data categories or types. Data creators and owners should keep in mind that the minimum security controls required increase as classification level moves from low to moderate to high to restricted. The key objective in identifying the classification level is to make a risk-based determination of what security controls to implement, and not protecting data beyond what is appropriate.

Need Help Classifying Data?

Not sure how a specific data set should be classified? Questions or concerns about specific classifications should be directed to Information Assurance by contacting the the Chief Compliance Officer, Chief Privacy Officer or Chief Information Security Officer.

Applicable CHA Policies

You are responsible for complying with the policies and standards below. The information on this page help you meet that responsibility.

• Under Review and Consideration