Identifying Information Sensitivity

We constantly handle information in the work environment, be it over local area networks (LANs), telephones, electronic mail (e-mail) messages, or through web sites. Yet how many of us adequately consider what type of information we are dealing with, how that information should be handled, and how to protect the information according to the risk and impact of its being altered, destroyed, made unavailable, or disclosed? This paper deals specifically with identifying the different sensitivity levels of information so that it is appropriately handled. As discussed below, there are different types of information, such as unclassified, sensitive yet unclassified, or classified materials.
 
Classified information is defined as:
Official information regarding the national security that has been designated Confidential, Secret, or Top Secret.

Unclassified information is defined as:
Information that does not have a national security designation.

Sensitive unclassified information is defined as:
Information that requires protection due to the risk and magnitude of harm or loss that could result from unauthorized disclosure, alteration, loss, or destruction. The term includes, but is not limited to, Privacy Act information, proprietary information, and information not releasable under the Freedom of Information Act.

Sensitive unclassified information takes many forms, most of which we might not consider to even be sensitive. An intruder, however, can gain much knowledge about a person or organization simply by piecing together what most might consider trivial. NASA Procedures and Guidance for the Security of Information Technology (NPD 2810, Draft) identifies the following five categories of sensitive unclassified information used in conducting the Agency's business.

 

1. Mission Information

If the information, software applications, or computer systems in this category are altered, destroyed, or made unavailable, the impact on NASA could be catastrophic. The result could be a loss of assets, a threat to life, or prevention of NASA from preparing or training for a critical mission. Examples are information on:

  • Training for and/or participating in human space flight;
  • Software used to control human flight;
  • Training simulation vehicles;
  • Wind tunnel operations;
  • Launch operations; and
  • Space vehicle operations.
 

2. Business and Restricted Technology Information

Information, software applications, or computer systems that support NASA's business and technological needs fall within this category. Disclosure of this type of information could result in: lawsuits and civil or criminal prosecution against NASA employees or its contractors; contract protests; or the illegal export of technology. Examples include:

  • Financial;
  • Legal;
  • Payroll;
  • Personnel;
  • Medical;
  • Procurement;
  • Source selection;
  • Grant descriptions;
  • Technical specifications embargoed from export; and
  • Proprietary details entrusted to the Government.
 

3. Scientific, Engineering, and Research Information

This category contains information that supports basic research, engineering, and technology development but is less restricted against public disclosure. Alteration, destruction, unauthorized disclosure, or unavailability of the systems, application, or information would have an adverse or severe impact on individual projects, scientists, or engineers. The impact is primarily on an individual project rather than on the Agency.
 

4. Administrative Information

Administrative information consists of system, applications, and information that supports NASA's daily activities, such as electronic mail, forms processing, and management reporting. This type of information is considered sensitive in that if released to the public, it could possibly compromise an employee or job-related information. Administrative information includes, but is not limited to:

  • Infrastructure design details;
  • Pre-decisional notes;
  • Vulnerability descriptions or lists;
  • Passwords; and
  • Internet protocol addresses.
 

5. Public Access Information

Information in this category is intended for public use or disclosure. The loss, alteration, or unavailability of the information would have little direct impact on NASA's missions, but might expose the Agency to embarrassment, loss of credibility, or public ridicule.

Stoplight Be cautious when dealing with information! Determine the classification and sensitivity level of the information before you send it over a LAN, telephone, e-mail message, or include it on a web site. Classified information should never be sent over an unclassified LAN, discussed over a telephone, left as a voice message, or included in a web site intended for the public. Consider the following points when handling sensitive information:

  1. Under which of the five categories does the information fall?
  2. What are the vulnerabilities, risks, and/or ramifications if someone other than the intended party has access to the information, or if a legitimate user is denied access?
  3. Should the information be included on the public or private web site?
 
[ Return to Top of Document]
[Training and Awareness]
[IT Security Main Page]