Accessibility mode is enabled

Home Accessibility Support 311 Customer Service Emergency Management Contact Us Translate Skip to Content
City Hall
Home > Information Technology > Information_Security > Security Standards > Data Classification
Skip to Top / Tab to View Menu Options
Skip to Left Navigation / Tab to View Content

Information Security Data Classification Introduction

This document describes the three levels of data classification that the City of Sacramento (City) has adopted regarding the level of security placed on the particular types of information assets. The three levels described below are meant to be illustrative, and the list of examples of the types of data contained below is not exhaustive. Please note that this classification standard is not intended to be used to determine eligibility of requests for information under the California Public Records Act or HEERA. These requests should be analyzed by the appropriate legal counsel or administrator.

Classification Description: Confidential - (Level 1)

Access, storage and transmissions of Critical Confidential information are subject to restrictions as described in City of Sacramento Management Standards.

Information may be classified as confidential based on criteria including but not limited to:

  • Disclosure exemptions - Information maintained by the City that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
  • Severe risk - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the City, its employees, or customers.
  • Financial loss, damage to the Cities reputation, and legal action could occur.
  • Limited use - Information intended solely for use within the City and limited to those with a “business need-to know.”
  • Legal Obligations - Information for which disclosure to persons outside of the City is governed by specific standards and controls designed to protect the information.

Examples of Critical – Confidential information include but are not limited to:

  • Passwords or credentials that grant access too Critical and Business data
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological Counseling records related to an individual
  • Bank account , credit/debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Biometric information
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Law enforcement personnel records
  • Criminal background check results

Classification Description:  Internal Use - (Level 2)

Access, storage and transmissions of Business - Internal Use information are subject to restrictions as described in City Asset Management Standard.

Information may be classified as “internal use” based on criteria including but not limited to:

  • Sensitivity - Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
  • Moderate risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the Cities reputation, violate an individual’s privacy rights, or make legal action necessary.

Note:  It is possible to aggregate Internal Use - (Level 2) data in such a way that it might become Confidential - (Level 1) data.  In these cases, the data should be treated as Confidential - (Level 1) data.

Examples of Business – Internal Use information include but are not limited to:

  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Photo (taken for identification purposes)
  • Trade secrets or intellectual property such as research activities
  • Location of critical or protected assets
  • Licensed software
  • Vulnerability/security information
  • City attorney-client communications

 
  • Employee Information
    • Employee net salary
    • Home address
    • Personal telephone numbers
    • Personal email address
    • Payment History
    • Employee evaluations
    • Pre-employment background investigations
    • Mother’s maiden name
    • Race and ethnicity
    • Parents’ and other family members’ names
    • Birthplace (City, State, Country)
    • Gender
    • Marital Status
    • Physical description
    • Other

 

Classification Description: PUBLIC - (Level 3)

Information which may be designated by the City as publicly available and/or intended to be provided to the public.

Information at this level requires no specific protective measures but may be subject to appropriate review or disclosure procedures at the discretion of the City in order to mitigate potential risks.

Disclosure of this information does not expose the City to financial loss or jeopardize the security of the City’s information assets.

SITEMAP
Translation services available; click or call (916) 808-5011 or (916) 264-5011
2015 Best of Web Winner full color logo

Policies  |  Accessibility  |  Social Media  |   Website Feedback  © 2013 - 2022   City of Sacramento