Types of Sensitive Data & The Ways to Protect Them

Sensitive data can be defined as classified data that must be protected by various cyber security measures and cannot be accessed by unauthorized persons and third parties without privileged access authorization. Preserving sensitive data stacks in the electronic or physical environment does not change the data quality. In both cases, the sensitive data in question must be carefully protected against cyber threats.

It is very important that sensitive data access, which is one of the main issues to be considered while establishing data security, is provided through a cyber security network that will allow access only to privileged accounts in order to prevent cases of data breaches. On the other hand, you should not forget that an advanced structure that controls access to sensitive data may experience problems due to ethical or legal reasons. For this reason, it is of great importance for organizations to control persons and applications with personal data access more strictly in the legal context, in terms of Personal Data Protection ACT and GDPR compliance.

Types & Levels of Sensitive Data

There are different types of sensitive data with various security levels. There are primarily four types of sensitive data and there are three different levels of data sensitivity. Let's first have a look at different types of sensitive data, before proceeding to data sensitivity levels.

Sensitive data types

• Low data sensitivity : Data exposure in this category poses a low level of concern for individuals, private organizations, and government agencies. There is usually little or no access restriction on the relevant data group. This type of data, often referred to as pieces of public information, is accessible to anyone.
• Moderate data sensitivity : Data is subject to contracts involving two or more parties, constituting moderately sensitive data. The disclosure of such data can cause minimal harm to organizations. Examples of data in this category include student registrations, IT service information, building plans, and travel information.
• High data sensitivity : Violation of the data in this group, which is referred to as confidential data, may cause organizations to be exposed to different types of cyber attacks and to be penalized under both the Personal Data Protection Law and GDPR. Protected health data, IT security information, social security numbers and controlled unclassified information are included in this group.
• Restricted sensitive data : These data are protected under the Non-Disclosure Agreement (NDA), in order to minimize legal liability. Trade secrets, credit card details, intellectual property data, customer information and training records are examples of restricted sensitive data.

Sensitive data levels

• Highly sensitive data : Special categories of exclusive personal data belong to this category. In case of breach of highly sensitive data, very serious negative consequences can be encountered. For example, violation of these data may cause organizations to experience great financial losses, besides leading to significant legal sanctions.
• Moderately sensitive data : Violating the confidentiality of such data for internal use does not create serious problems for organizations.
• Low sensitive data : The data in this group, which is at the bottom rung of sensitivity level, are publicly available information.

Definition of Sensitive Data According to the Personal Data Protection Law and GDPR

GDPR means highly sensitive personal data. Sensitive personal data refer to data that are more sensitive in respect of GDPR such as name, IP address, location etc. GDPR insists that pseudonymous information should be used instead of information that directly identifies a person. However, the use of pseudonymous data may not prevent the breach of sensitive personal data. Because sensitive personal data, including genetic and biometric data, can be traced back to their origins and decrypted due to their identifying nature. Therefore, using pseudonymous data alone may not be sufficient. Creating an IT infrastructure that offers end-to-end data and access security stands out as the most logical method.

According to GDPR and the Personal Data Protection Law for Turkey, exclusive personal data i.e. sensitive personal data, incorporate many different components:

• Race
• Political thought, ethnicity, religion, philosophical belief, sect;
• Appearance,
• Association, foundation and union memberships
• Health information, sex life
• Criminal conviction, security
• Genetic information, biometric information

are included in the category of exclusive personal data under GDPR and the Personal Data Protection Law.

How to Determine If Data are Sensitive?

Several different industries have agreed on a specific standard for measuring data sensitivity. The standard in question coalesces around three main elements, also called the CIA trio. The CIA triad includes the principles of confidentiality, integrity and usability.

• Confidentiality : This policy includes directly preventing, not limiting, unauthorized access to sensitive data for users who do not have access authorization.
• Integrity : Relates to consistency and accuracy of data over a certain period of time. You can control the consistency of data flow in your IT infrastructure with audit logs, file permissions, user access controls, backups and cryptography.
• Usability : The policy in question focuses on sensitive data that is usable as needed. Among usability-specific measures are offering protection against data loss due to natural disasters, maintaining hardware, providing bandwidth.
  The way to prevent the violation of the CIA triad is to take countermeasures. Countermeasures, including cybersecurity software and awareness training, can be listed as follows:
• Two-factor authentication
• Data encryption
• Keychains
• Soft tokens
• Security tokens
• Biometric verification
• Only hard copy and storage
• Limiting where information appears and the number of transmissions
• Storage on disconnected storage devices
• Storage in computers with air gaps

Protect Sensitive Data

Privileged Access Management practices are one of the best ways to protect sensitive data as they create an advanced cybersecurity network. Privileged Access Management (PAM) systems enable you to have advanced data security in your IT infrastructure by protecting sensitive data, and privileged accounts with access to these accounts. PAM applications, which provide access security against ransomware attack, phishing, malware-like cyber attacks and internal threats, help prevent data breaches and keep your sensitive data safe.

Our PAM solution, Single Connect, provides advanced IT infrastructure security thanks to the modules it contains. Restricting access to privileged accounts in your network with a zero trust policy, Single Connect also makes it possible to keep the passwords in the system in password safes isolated from the network. Single Connect, which also has two-factor authentication, simultaneously requests location and time information from users who request access to privileged accounts. Single Connect also automates routine tasks on the network and records all user activity in the system, including database administrators.

As one of the internationally important PAM products, Single Connect can meet the data security needs of companies of different sizes and protect their sensitive data. You can also contact us to learn more about our Single Connect product and consult our teammates with any queries.