Scribd
Upload
127 views43 pages

Data Categorization & Inventory Template

1. The document provides a template for Commonwealth agencies to inventory data located on their servers, including mapping data elements to categories and sensitivity levels defined in the template. 2. Agencies are instructed to complete an asset information section and identify applicable data categories for each agency asset using the provided template. 3. The template includes definitions of data categories like Special Handling PII, Protected Health Information, and Sensitive PII, along with examples to help agencies determine the appropriate category for data elements.

Uploaded by

Rafikul Islam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
127 views43 pages

Data Categorization & Inventory Template

1. The document provides a template for Commonwealth agencies to inventory data located on their servers, including mapping data elements to categories and sensitivity levels defined in the template. 2. Agencies are instructed to complete an asset information section and identify applicable data categories for each agency asset using the provided template. 3. The template includes definitions of data categories like Special Handling PII, Protected Health Information, and Sensitive PII, along with examples to help agencies determine the appropriate category for data elements.

Uploaded by

Rafikul Islam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 43

OPD-SEC019A

Data Categorization and Inventory Operating T


Version: 2.10

Agency:
Business/Program:
ory Operating Template
Document Control Information
Document Information
Document Name OPD-SEC019A - Data Categorization and Inventory Operating Template

Document Edit History


Version Date Additions/Modifications
1.00 14-Nov-2014 Initial Draft
1.10 4-Feb-2015 Revised Document Name
2.00 20-May-2015 - Amended the Instructions tab for clairification
- Added "Asset Information" in the Categorization tab
- Added "Application" and "Location" types in Data Inventory Server Information
- Revised the Data Inventory tab - moved "C" data (SEC019) to Asset
Information area
- Made "Asset Information" required data inputs; made "Category"
recommended data inputs in the Data Inventory tab
- Removed "Distribution of Final Document" from Doc Control Info
- Removed "Document Review/Approval History" (review and approval will be
through ITP-SEC019 governance process
- Removed Document Identification, Project Name, Client, Document Author,
Document Version, Document Status Date Released fields from Document
Information in Doc Control Info tab

2.10 27-Jul-2015 Added "Agency, Business/Program Area" to cover sheet


Expanded Instructions tab
Prepared/Revised By
Unisys team
OA-OIT-BEA
OA-OIT-BEA

OA-OIT-BEA
Summary Information
The purpose of this document is to provide the Commonwealth of Pennsylvania with:
Purpose of the - A mapping of data elements to data categories as determined by regulatory requirements
document - A template to create a data inventory for each agency's assets
- Documentation of data categories from identified assets in the Commonwealth environment

1. Cover - includes Agency and Business/Program area of inventory


2. Document Control Information - contains revision, version, and review information
3. Instructions and Summary Information - contains instructions for use of the workbook
Worksheet Summary
4. Categorizations - contains definitions for each data category and sensitivity level, including e
5. Data Classification Model - contains the mapping of sample data elements to regulatory req
6. Data Inventory - contains a template for the Commonwealth agencies to use when creating a

Instructions

1. Add the Commonwealth Agency and (if neccessary) the Business/Program Area on the Cove
2. Review the Categorizations tab to learn the definitions and examples of the different categor
3. Review the Data Classification Model tab to familiarize with the mapping of sample data ele
4. (Required) On the Data Inventory tab, complete the Asset Information section. Refer to the C
appropriate input for each identified asset.
Instructions 5. (Recommended) On the Data Inventory tab, identify data categories that are present in an a
Model tab as a guidance for determining what category different data elements belong to.
6. (As Needed) On the Data Class Model tab, add additional Data Elements, the Category of th
associated federal or state mandates/laws that are not currently captured in the OPD-SEC019A
template in future revisions. We request that you send any additional additions to RA-ITCentral@
version of this template.
Information
f Pennsylvania with:
by regulatory requirements

Commonwealth environment

tory
and review information
ns for use of the workbook
and sensitivity level, including examples
data elements to regulatory requirements for protection
agencies to use when creating an inventory of data located on their servers

uctions

ess/Program Area on the Cover sheet


xamples of the different categorizations, sensitivity levels, and asset information.
he mapping of sample data elements to regulatory requirements for protection.
ormation section. Refer to the Categorizations tab as a guidance for determining

egories that are present in an agency's assets by using an X. Use the Data Classification
data elements belong to.
ta Elements, the Category of the Data Element, Sensitivity of the Data Element and
captured in the OPD-SEC019A template. This will help OA-OIT build a more comprehensive
onal additions to RA-ITCentral@pa.gov so that OA-OIT can evaluate and add to a future
Categories

Special Handling PII

Protected Health
Information

Sensitive PII

Personal Information
Regulated Data

Third Party
Information

Geographic
Information

Contract Information
Categories

Special Handling PII refers to personal information as defined by PA Senate Bill 712 (Breach of Personal Information Act).
Data identifiers for this category are an individual's first name or first initial and last name in combination with and
linked to one or more of the following data elements, when the name and data elements are not encrypted or redacted:

1. Social Security Number (SSN)


2. Driver's license number or Commonwealth identification card number issued in lieu of a driver's license
3. Financial account number, credit or debit card number, in combination with a security code, access code or password
that may likely permit access to an individual's financial account
4. Medicare ID
5. Federal Employer Identification Number (FEIN)

Examples of Special Handling PII: Passport Number, Student Identification Number

Protected Health Information (PHI) refers to an individual's identifiable health information. Protected Health
Information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they may
be associated with the health information listed above. For example, a medical record, laboratory report, or hospital bill
may likely be termed as PHI because each document may likely contain the patient’s name and/or other identifying
information associated with the health data content.

Examples of Protected Health Information: Biometric Records, Insurance Carrier

Sensitive PII refers to personal information revealing characteristics about an individual that requires stricter handling
guidelines because of the nature of the data and the increased risk to an individual, and if lost, compromised, or
disclosed without authorization, could result in harm, embarrassment, inconvenience, or unfairness to an individual.

Examples of Sensitive PII: Photograph, Race

Personal Information refers to information about an individual maintained by an agency, including:

1. Information that can be used to distinguish or trace an individual's identity


2. Information that is linked or linkable to an individual

Examples of Personal Information: Place of Birth, Mother's Maiden Name


Regulated Data refers to information received externally from a federal or Commonwealth of Pennsylvania entity which
is bound by specific regulations. Regulated data may come from the following sources:

1. SSA
2. IRS
3. CMS
4. CJI/CHRIA (Managed and shared by JNET)
5. FERPA
6. PCI

Examples of Regulated Data: Criminal History, Medical History

Third Party Information refers to information associated with and specific to third party entities, including vendors,
suppliers, business partners, and contractors.

Examples of Third Party Information: Vendor Address, Vendor Phone Number

Geographic Information pertains to an asset's locational information or elements from a geographic information system
(GIS).

Examples of Geographical Information: Childcare Facility Address, Elevation

Contract Information consists of data elements associated with contract, award, and bidding activities related to
procurement of supplies or services.

Examples of Contractor Information: Contract No., Commodity Specialist


Sensitivity Level Asset Information

Desktop or Server

Agencies only need to report


Data elements that are Desktop assets if a non-server
Confidential privileged under the Right-to- Asset Type computer is running a database
Know Act. program (i.e. MS Access, MS
Excel) that contain data that
needs to be reported in the data
inventory.

Data elements that are not


privileged under the Right-to-
Know Act, but are highly Computer name given to the
Restricted Name
sensitive and should not be server or desktop
released as they may cause
harm to an individual.

Data elements that are not


privileged under the Right-to-
Internal Know Act, but release would not IP Address IP address of the server
require notification or cause
individuals drastic harm.

Data elements that are made


readily available to the public database, file server, web
Public Type
through websites or other server, virtual server, etc.
modes of publication.
Environment Staging, Beta, Production

Identify the application(s) being


Application(s)
run on the server

Physical location of the server


Location (include building) (i.e. Finance
Building 311 Harrisburg)

"C" data Refer to ITP-SEC019 for


(SEC019) definitions/examples of the four
"C" data types.
rmation

or Server

only need to report


assets if a non-server
is running a database
(i.e. MS Access, MS
at contain data that
be reported in the data
.

r name given to the


desktop

s of the server

, file server, web


rtual server, etc.
Beta, Production

he application(s) being
e server

ocation of the server


building) (i.e. Finance
311 Harrisburg)

TP-SEC019 for
s/examples of the four
ypes.
Data Element Category

SSN - Social Security Number Regulated (SSA)


Federal Tax Withholdings Regulated (IRS)
TIN - Taxpayer Identification Number Regulated (IRS)
Criminal History Regulated (CJI)
Credit Card Number Regulated (PCI)
Medical History Regulated (CMS)
Parent No. Contract Information
Contract No. Contract Information
Commodity Specialist Contract Information
Bid Opening Date Contract Information
Procurement No. Contract Information
Elevation Geographic Information
Childcare Facility Address Geographic Information
Vendor Phone Number Third Party Information
First Name Personal Information
Last Name Personal Information
Middle Name Personal Information
Email Address Personal Information
Address Personal Information
Phone Number Personal Information
Date of Birth Personal Information
Place of Birth Personal Information
Gender Personal Information
Age Personal Information
ZIP Code Personal Information
PIN - Personal Identification Number Special Handling PII
PAN - Primary Account Number / Account Special Handling PII
Number
Personally Identifiable Financial Information Special Handling PII
SSN - Social Security Number Special Handling PII
Drivers License Number Special Handling PII
Tax Identification Number Special Handling PII
Subscriber Identification Number Special Handling PII
Student Identification Number Special Handling PII
Credit Card Number Special Handling PII
Debit Card Number Special Handling PII
Mother's Maiden Name Personal Information
Name of Parents/Family Members Personal Information
Institution Attended Personal Information
Major Field of Study Personal Information
Grade Level Personal Information
Degree Personal Information
Awards Personal Information
Enrollment Status Personal Information
Dates of Attendance Personal Information
Photograph Sensitive PII
Race Sensitive PII
DNA Sequence Sensitive PII
Character/ General Reputation/ Personal Sensitive PII
Characteristics
Facial Characteristics Sensitive PII
Handwriting Sensitive PII
Finger Prints Sensitive PII
Voice Prints Sensitive PII
Criminal History Sensitive PII
Nonpublic Personal Information Sensitive PII
Card Validation Codes / Values Sensitive PII
Cardholder Data - Full magnetic stripe Sensitive PII
Cardholder name Sensitive PII
Expiration date Sensitive PII
Access Code Sensitive PII
Security Code Sensitive PII
Password Sensitive PII
Income Sensitive PII
Credit Score Sensitive PII
Credit Standing Sensitive PII
Credit Capacity Sensitive PII
Account History Sensitive PII
Consumer’s Credit Worthiness Sensitive PII
Mode of Living Sensitive PII
Genetic Marker Sensitive PII
Genetic Testing Information Sensitive PII
Private Satellite Video Communication Sensitive PII
Wired Communication Sensitive PII
Oral Communication Sensitive PII
Electronic Communication Sensitive PII
Telephone Conversations Sensitive PII
Email Communication Sensitive PII
Motor Vehicle Title Sensitive PII
Motor Vehicle Registration Sensitive PII
Medical Information Protected Health Information
Health Insurance Policy Number Protected Health Information
Individual's Medical History Protected Health Information
Individual's Mental Condition Information Protected Health Information
Individual's Physical Condition Information Protected Health Information
Medical Treatment or Diagnosis Information Protected Health Information
Patient Account Number Protected Health Information
Medical Record Number Protected Health Information
Biometric Records Protected Health Information
Retina and Iris Patterns Protected Health Information
Payment of Health Care Provisions Protected Health Information
Disability Code Protected Health Information
Diagnosis Report Protected Health Information
Health Plan Beneficiary Protected Health Information
Health Plan Insurance Premium Protected Health Information
Health Services provided Protected Health Information
Insurance Carrier Protected Health Information
Medical Condition/Disability Description Protected Health Information
Medical License Number Protected Health Information
Medicaid Provider ID Protected Health Information
Policy Group Number Protected Health Information
Service Code Special Handling PII
Complete Track Data Special Handling PII
PIN Blocks Special Handling PII
Transaction Data Special Handling PII
Unique Identifier Protected Health Information
Individual's Application and Claims History, Protected Health Information
Including any Appeals Records.
Billing Information at the Clinic Protected Health Information
Telephone Listing Personal Information
Weight of Members Protected Health Information
Height of Members Protected Health Information
Educational Agency Personal Information
Participation in Officially Recognized Activities and Personal Information
Sports
Geographic Indicators Personal Information
Demographic Information Personal Information
State Tax data Sensitive PII
Driver’s license Special Handling PII
EBT card number Special Handling PII
FEIN Special Handling PII
Financial account number Special Handling PII
Medicare Claim Number Special Handling PII
Medicare ID Special Handling PII
Passport Number Special Handling PII
State Identification Number Special Handling PII
Account Number Personal Information
Alias Personal Information
Appellation Code Personal Information
Application Name Personal Information
Application Number/e-form number Personal Information
Application Registration Number Personal Information
Area Code Personal Information
Barcode Number Personal Information
Birth place (country/state/city) Personal Information
Case Number Personal Information
Case Record Name Personal Information
Case Record Number Personal Information
Caseload Number Personal Information
Check Number Personal Information
CHIP Contractor Code Personal Information
CIS Application Number Personal Information
CIS Record Number Personal Information
City Personal Information
City Township Personal Information
Civil Subdivision Personal Information
COMPASS Individual Number Personal Information
Community Based Organization Name Personal Information
Community Partner Organization ID Personal Information
Community Partner User ID Personal Information
County Personal Information
County Code Personal Information
Court Name/Court order number Personal Information
District Office Personal Information
DoB Personal Information
Doctor/Clinic/Nursing facility Address Personal Information
Doctor/Clinic/Nursing facility Name Personal Information
Document ID Personal Information
Date of Death Personal Information
Employer Address Personal Information
Employer Contact Phone Number Personal Information
Employer Identifier Personal Information
Employer Name Personal Information
Employer Sequence Number Personal Information
Fax Number Personal Information
FFM Individual Number Personal Information
Funeral Home name Personal Information
Group Number Personal Information
Heating Provider Account Number Personal Information
Home Phone Number Personal Information
Household Disability Indicator Personal Information
Household Number Personal Information
Income/Gross Personal Information
Income/Monthly Income Personal Information
Individual Number Personal Information
Insurance Address Personal Information
Insurance Provider/Insurance Company Name Personal Information
Internet Protocol Address Personal Information
Language Personal Information
Latitude Personal Information
Legal Entity - Service Location Personal Information
Longitude Personal Information
Maiden Name Personal Information
Marital Status Personal Information
Master Provider Index Number Personal Information
MCI Number Protected Health Information
Medical Provider information (name, address, Personal Information
phone number)
Middle Initial Personal Information
Name of Financial Institution Personal Information
Name of Organization of Sponsor Personal Information
Notice ID Personal Information
Notification Identifier Personal Information
Parole Number Personal Information
Passport Expiration date Personal Information
Pay Rate Personal Information
Payment Name Personal Information
Payment Number Personal Information
Phone Extension Personal Information
Place of Birth Personal Information
Place of parole/probabtion Personal Information
(state,county,jurisdiction)
Policy ID Personal Information
Policy Number Personal Information
Prisoner Number Personal Information
Provider Address Personal Information
Provider M.A.I.D Number Personal Information
Provider Name Personal Information
Provider Number Personal Information
Provider Phone Personal Information
Realtor Name Personal Information
Realtor Phone Number Personal Information
Record Number in Upload File/Record Number Personal Information
Ref# Personal Information
Reviewer's User ID Personal Information
School Building Name Personal Information
School Code Personal Information
School County Code Personal Information
School District Personal Information
School District Code Personal Information
School Name Personal Information
Screening Number Personal Information
Second Last Name Personal Information
SNAP or TANF case number Personal Information
Sold Property Description Personal Information
SSA Verification Identifier Personal Information
State Personal Information
Suffix Personal Information
TANF Case Number Personal Information
Target System Application ID Personal Information
Target System Individual ID Personal Information
Third Person Contact Personal Information
Third Person Phone Personal Information
Tribe State Personal Information
UFI Number Personal Information
User Hint Answer Personal Information
User Hint Question Personal Information
User Identity of the Community Partner Personal Information
User Identity of Sponsor Personal Information
User Logon ID Personal Information
Username identifier Personal Information
Vehicle Information (Year,make and model) Personal Information
Veteran Claim Number Personal Information
Wage Personal Information
Web Application Number Personal Information
ZIP Extension Personal Information
Alien Registration Number Sensitive PII
Citizenship Code Sensitive PII
Citizenship Sensitive PII
Citizenship Status Sensitive PII
Country of Origin Sensitive PII
Criminal convictions Sensitive PII
Drug and alcohol abuse information Sensitive PII
Health/ Sexual orientation Sensitive PII
I551 Card Number Sensitive PII
I94 Document Number Sensitive PII
Non citizen Registration ID Sensitive PII
Offenses Sensitive PII
Party Affiliation Sensitive PII
Racial/ Ethnic origin Sensitive PII
Religious/ Philosophical beliefs Sensitive PII
Trade-union membership Sensitive PII
Tribe Name Sensitive PII
Voter ID number Sensitive PII
Unearned Income Sensitive PII
ACA - Patient ECPA -
Protection ADA - COPPA - Electronic FERPA - The
and Americans Children's Communicati Family
Sensitivity Affordable with Online ons Privacy Educational
Care Act of Disabilities Privacy Act 18 Rights and
2010, Section Act Protection Act U.S.C. §§ Privacy Act
1561 2510-2521

Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Public
Public
Public
Public
Public
Public
Public
Public
Restricted X X
Restricted X X
Restricted
Restricted X X
Restricted X X
Restricted X
Restricted X
Restricted X
Restricted
Restricted
Restricted
Restricted X
Restricted

Restricted
Restricted X
Restricted
Restricted
Restricted
Restricted X
Restricted
Restricted
Restricted
Public X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted
Restricted X
Restricted

Restricted X
Restricted X
Restricted X
Restricted X
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted X
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted X
Restricted
Restricted
Restricted X
Restricted
Restricted X
Restricted X
Restricted X
Restricted
Restricted
Restricted
Restricted X
Restricted X
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted
Restricted X
Restricted

Restricted
Public X
Restricted X
Restricted X
Restricted X
Restricted
X
Restricted
Public
HIPAA - Health
BPINA -
Health Information
SSA - Social Breach of Federal
Insurance  e- Technology
Security Personal Driver's Privacy Act of
Portability Government for Economic
Administratio Information Privacy 1974
and Act of 2002 and Clinical
n Notification Protection Act
Accountability Health Act of
Act
Act 1996

X X X X
X X X X

X X X
X X X X
X X
X X X
X X
X X

X X X
X X
X X X
X X X X X X
X X X X
X X
X X X
X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
CMS -
Centers for
Medicare and
Federal Trade
Commonweal DPW IT Medicaid
Commission
th of security Services
Patient Safety Standards for
USA Patriot Pennsylvania incident Information PCI DSS - PCI
and Quality Safeguarding
Act - Title III Electronic reporting Security (IS) Data Security
Improvement Customer
Section 326 Information policy Acceptable Standard
Act of 2005 Information
Privacy Policy (POL_ENss0 Risk
Final Rule 16
(ITV-PRV001) 02) Safeguards
CFR Part 314
(ARS) –
Moderate
level.

X X X X
X X X X

X X
X X X
X X
X
X
X

X X X X
X X X X
X X X X
X X X
X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X
X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X X X
X X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
Federal Trade Federal Trade
CJIS -
IRS - Internal Commission Commission Title V -
Criminal
Revenue Affiliate Privacy of Confidential FTC Health
Justice NIST Special
Services , Marketing Consumer Information Breach
Information Publication
publication Rule Final Financial Protection Notification
System - 800-53
1075 (August Rule 16 CFR Information and Statistical Final Rule
Security
2010). Parts 680 and Final Rule 16 Efficiency
Safeguards
698 CFR Part 313

X X X
X X X

X
X
X

X X
X
X

X
X

X
X
X
X
X
X
X

X
X

X
X
X
HHS-Breach
Notification
for Unsecured
Protected
Health
Information;
Interim Final
Rule 45 CFR
Parts 160 and
164

X
X

X
X

X
X
Asset Information *REQUIRED* Category *RECOMMENDED*
# Asset Type Name IP Address Type Environment Application(s) Location "C" data (SEC019) Special Handling PII Personal Information Sensitive PII Protected Health Regulated Data Third Party Geographic Contract
Information Information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

You might also like