Cyber Security Policy Manual

Data User

Handle classified data in accordance with the rules and guidelines defined in this policy

P OLICY 1) Since the classification of data helps determine the appropriate security controls to implement in order to protect the data, all City’s data must be classified into one of the following categories: e. Confidential – this type of data could cause significant impact to the City if destroyed, modified or disclosed without authorization. Examples of confidential data include: o Personally Identifiable Information (PII) – this include name, social security

number, date of birth, state- issued driver’s license number, and other personal characteristics that would make the person easily identifiable. o Payment Card Information – this includes cardholder name, credit card number, service code, expiration date, CVV, PIN, and content of credit card magnetic stripe. o Protected Health Information (PHI) – this include any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. o SCADA and critical infrastructure documents o Other data types that must be protected in accordance with state and federal regulation.

f. Public – this type of data could cause low impact to the City if destroyed, modified or disclosed without authorization. Examples of public data include: o Any information that can be made public through the Public Information Request Tracking (PIRT) system o Publicly accessible websites o Data posted on blogs and other social media outlets o Press releases posted on public websites 2) The classified data must be handled based on the following table. The table also defines the required security controls to protect the classified data

Security Control Category

Data Classification

Confidential

Public

Cyber Security Policy Manual

17