Cybersecurity Handbook
Chapter 1

What Is Sensitive Data?

It is data that you need to take care of and which, if it falls into the wrong hands or is lost: can cost you time, money, and harm your reputation.

Sensitive data can be information (SIN, home address, cell phone number, passphrases), documents (contracts with employees or suppliers), messages or communications on your social networks and Google accounts, or even media files (films, videos, images, sounds, archives).


Assessing your data’s level of sensitivity

The sensitivity of data varies depending on the context: it is specific to every organization and person.

There are three levels of data sensitivity

  • Public data is information that is intentionally made accessible to everyone, such as an open access artwork (film, music, etc.) or a report published in the interest of transparency.
  • Confidential data is any document or information whose access is limited to a specific audience: emails, contact information, work in progress, film in production, versions of work, etc.
  • Restricted data is data whose access is exclusive to certain individuals. Your social insurance number is restricted information.

All access to your confidential or restricted data must be protected.

You know what is sensitive to your organization better than us. To properly identify and assess the data which you are responsible for, imagine that you lost this data or that you spilled coffee on your computer—since yes, “I spilled coffee on my Mac” is a classic Google search.

What would be the material and ethical implications of this incident? Would work need to be redone? Would confidential documents be exposed or lost? Could the damage impact your partners’ trust in you?

In short, you need to ask yourself what it would cost your organization—in terms of time, money, and reputation—to recover from the loss.

How to determine the risk level?

In cybersecurity, we use a matrix to assess the risk level: we multiply the impact of a security incident by its probability. The higher the factor, the more serious the risk and the more immediate attention it demands. The assessment—and the value attributed to each factor—is of course subjective and can change depending on the context.

Consider the scenario (so common, after all) of the coffee accident. Let’s say that you usually have several coffees a day at your workstation. The first factor to take into account is probability. The probability that one morning you could spill the contents of your cup on your laptop is relatively high. Let’s give it a value of 3 (on a scale of 1 to 5). If you’ve been working at home for a few weeks and adopted an affectionate cat (a change of context), it might be wise to increase the probability to 4. Then you need to assess the impact of the incident. If you save all your work documents on this computer (without a backup copy), the impact of the accident could be disastrous (let’s give it an impact of 5). However, if you have backup copies in several locations as well as on a cloud computing service, the impact boils down to a loss of materiel (financial impact) and time (a day of work to get a new computer and configure it properly). Therefore, it would be fair to assess this impact at 3.

You can consult this matrix in the Security Policy.

To summarize, here are some more questions to help you assess the risk level of data based on the impact caused by its modification, loss, or theft:

  • Will a staff member need to take time to search through the backup copies in hopes of finding the lost data?
  • Do you have a responsibility to inform your partners or clients about this damage? (See your Legal Obligations.)
  • Do you need to pay an expert to fix the security breach? Is this person quickly available?
  • Is it likely that the loss, theft, or modification of the data will have an impact on your organization (in terms of reputation, production, finances, or other)?

These questions are just examples. The Security Policy will assist you more comprehensively in assessing different data. With this policy, you will be able to draw up a plan for identifying your priorities and protecting your assets in the best way possible. 

How to establish priorities?

At this point, you surely think that it will be difficult to completely secure all your sensitive data. You’re right: it’s literally impossible! Even for companies that have almost unlimited human or financial resources at their disposal, it’s unrealistic to reduce the risk to zero.

A good plan in cybersecurity is an appropriate response to a credible risk.

For example, it’s logical that a student locks their apartment door before leaving for class in order to protect their possessions. On the other hand, it would be absurd in this situation if this same individual were to go into debt due to using a biometric identification system and hiring two armed security guards fulltime to secure the access to their door.

If your plan is well organized, you will certainly avoid financial losses, but also the stress and anxiety of managing a crisis that comes with incidents.

This is why your work in cybersecurity aims to prioritize the weak points of your organization. In other words, the objective is to determine the risk level—and therefore, the priorities—by assessing the impact that a data compromise would have and the probability that the data would be compromised.

To do this, there’s a magic solution: you need to take inventory! (“Yay!!! I love taking inventory!”—said no one). We’ll discuss this thrilling step in more detail in the Security Policy. Please be patient. We know you’re eager to get started.


Recap

  • Understand what data is sensitive based on your context.
  • Identify the confidential and restricted data in your organization.
  • Take inventory to assess the risk associated with each sensitive data (see the Security Policy and risk matrix).
  • Establish a game plan to better protect the confidentiality and availability of sensitive data. 
Chapter 2 Passphrases All the Chapters