Commercial Information Security Classification System

Ab03678bbcfaa5425274e4d3905ae7b8?s=47 Frank Rietta
September 03, 2014

Commercial Information Security Classification System

Above the yellow line, you have some wiggle room. Between the yellow and the red line is the uncanny valley of personal information and below the red line, enhanced security countermeasures are highly advised.

You may be familiar with information classification in the military, you hear about secret or top secret information. In a commercial application, such as yours there are other categories of information. The five categories are Public, Internal Use, Confidential, Sensitive, and Highly Sensitive. Most business information is Internal Use, most customer data is Confidential, except that checking account numbers and payment data and drivers license details are Sensitive. Encryption keys and staff passwords are Highly Sensitive.

Other Classification Systems

The Georgia Institute of Technology has a slightly different, four tier classification system. It’s worth reading about and helped me as I developed this classification.

The term data classification used in this guide should not be confused with the practice of handling or working with “classified data” (e.g. Government Classified data). Georgia Tech classifies all data into one of four Data Categories.

Category I—Public Use: This information is for general public use such as the Institute’s Web site contents, press releases, and annual reports.

Category II—Internal Use: Information not generally available to parties outside the Georgia Tech community, such as directory listings, minutes from non-confidential meetings, and internal intranet Web sites. Public disclosure of the information would cause minimal trouble or embarrassment to the Institute.

Category III—Sensitive: This information is considered private and should be guarded from disclosure; disclosure of the information may contribute to financial fraud. Disclosure may also violate state and/or federal law.

Category IV—Highly Sensitive: Data which must be protected with the highest levels of security, as prescribed in contractual and/or legal specifications.

Further reading

Data Access Policy

Data Security Classification Handbook

Data Protection Safeguards


Frank Rietta

September 03, 2014


  1. 1. Public: Public information 2. Internal Use: Confidential business information

    3. Confidential: Information that customers consider confidential 4. Sensitive: Personal and Private Information (PII), information that THE LAW considers confidential! 5. Highly Sensitive: Encryption keys, server secrets, staff/admin passwords Commercial Information Security Classification System