The DISC classification framework offers a systematic approach for evaluating and managing data-related risks. It facilitates the identification of data sensitivity by categorizing it into one of three levels based on a risk assessment. This guide is designed to help classify data accurately to ensure appropriate security measures are implemented.
Overview of DISC Classification
Step 1: Evaluating Likelihood of Unauthorized Access
Step 2: Determining Potential Impact
Step 3: Calculating DISC Classification
Examples
DISC classification is integral to determining the sensitivity of data and involves categorizing it as follows:
- DISC 0 (Public): Data that is already publicly available and therefore has no associated organizational risk.
- DISC 1 (Internal Use Only): Appropriate for data that is less sensitive, where unauthorized access would have minimal organizational risk.
- DISC 2 (Confidential): For data that, if compromised, could have a moderate adverse effect on the organization’s operations or reputation.
- DISC 3 (Highly Confidential): Reserved for the most sensitive data, where unauthorized disclosure could cause significant harm to the organization, individuals, or where data protection is mandated by legal regulations.
This classification aids in determining the necessary security measures to protect data effectively.
Objective
To determine the likelihood of data being targeted by potential attackers for unauthorized activities.
Guidelines
- Consider the type of data and its value to external parties. Financial records, personal information, and trade secrets are typically more attractive to attackers.
- Consider potential motivations for external parties, such as financial gain, competitive advantage, or ideological reasons.
- Consider any past incidents involving similar data types being targeted within your industry or organization.
Action
Assign a score from 1 (least probable) to 3 (most probable) to represent the likelihood of the data being targeted.
Objective
To assess the severity and breadth of potential consequences if the data were to be accessed, altered, or made unavailable by unauthorized individuals.
Guidelines
- Estimate potential financial losses, including direct costs (e.g., fines, litigation) and indirect costs (e.g., loss of business, operational downtime).
- Consider the implications of data breaches on regulatory compliance, including potential fines and legal ramifications.
- Evaluate how a breach could affect your organization's reputation, community trust, and partner relationships.
- Assess the impact on business operations, including the potential for critical processes to be interrupted or halted.
Action
Rate the potential impact on a scale from 1 (minor) to 3 (major) based on the anticipated consequences.
Action
- Sum the scores for Likelihood and Impact.
- Divide the total by 2.
- Round down to the nearest whole number to arrive at a DISC classification between 1 and 3.
Important Note
Data governed by regulations (e.g., HIPAA, FERPA) automatically receives a DISC 3 classification due to its high sensitivity and regulatory compliance requirements.
The following are some examples of data that fall into each DISC Classification. Please note that this list is not meant to be comprehensive.
DISC 0 - Public
- Course offerings
- Admission numbers
- Student demographics
- Athletic team records
- Faculty names and affiliations
- Campus maps
DISC 1 - Internal Use Only
DISC 2 - Confidential
- Passport Information
- Project plans/documentation
- Sensitive departmental communication
- Employee reimbursement information
DISC 3 - Highly Confidential
- PII (Personally Identifiable Information)
- SSN (Social Security Numbers)
- FERPA (Family Educational Rights and Privacy Act) Student Data
- Grades
- Information about disciplinary actions against students
- HIPAA (Health Insurance Portability and Accountability Act) Data
- PCI (Payment Card Industry) Information
- Third Party Audit Documentation
- SOC 2 Type 2 Reports
- Risk/Vulnerability Assessments
- Information Security Plans