Section 2: Classify DataAnchor: #DUWUUCMY
This section establishes how TxDOT classifies data as part of its Information Protection Policy and describes the minimum protocols and responsibilities that must be in place to effectively assess the value of information against the risk of it being misused. It provides a dynamic approach to the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #BHWLNREK
TxDOT owns all the data created and used in support of its business activities. The offices responsible for identifying and prioritizing department needs associated with the data must classify the data into three categories: public (least restrictive), sensitive, and confidential (most restrictive).
The data is classified either by the content itself or by its system after considering the damage that could occur to individuals or TxDOT if the information were used for something other than its original purpose. All TxDOT information—regardless of form, format, quantity, or location (on or off premises)—must be classified.
Considerations must also include:
- where the information is initially created or captured, processed, transferred, kept, archived, and disposed
- form of the data -- whether it is physical (a hand-written note) or digital (an email) is not relevant, and it must still be classified
- the data’s context. For example, a common individual name may not pose any risks until it is paired with a social security number, street address, date of birth, etc. to identify a specific person, vulnerable to suffering damage.
To help assess the significance of the misuse, TxDOT will both use the “Potential Impact Definitions for Security Objectives” published by the National Institute of Standards and Technology (NIST), and these factors:
- value and associated risks of the data
- levels of protection as required by state and federal laws
- obligations as stewards such as ethical, proprietary, and privacy protection.
When considering those factors, TxDOT must:
- recognize that data classifications are subject to change
- review data periodically to ensure it meets current classification levels
- protect backups with the same classification level provided for the original data
- employ sanitation mechanisms with strength and integrity commensurate with the security category of the information.
General. The responsibility for protecting the data varies according to the role employees play in creating, maintaining, using, and storing the information. These roles are defined in Title 1, Part 10 of the Texas Administrative Code, Chapter 202, Subchapter A, 1TAC§202.1. Minimally, individuals who use TxDOT information assets must comply with all the security controls established by agency policies, processes, and procedures; and provide written acknowledgment that they will comply with these standards in the prescribed manner.
Role Specific. Individuals who have operational or statutory responsibility for information, also known as Information Owners, have additional responsibilities, including determining the classification for the data and the protection measures needed.
Information Owners may delegate the day-to-day maintenance of these records to others, including contractors or vendors, as a routine part of their job responsibilities. Those individuals are defined as Information Custodians and also have a distinct set of responsibilities for data classification.
Compliance and Standards
See the “Classify Data Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Information Protection Policy.