Data Types and Impact
Data Type Selections and Impact Assessment
Purpose of Data Type Selection
Data Type selections are used by the system to gauge impact, not exposure.
While Business Case selection determines how a vendor interacts with your environment (exposure), Data Type selection determines what is at stake if that exposure is realized.
Data Types represent the digital assets that may be shared with a vendor as part of the relationship. Selecting Data Types allows the system to evaluate the potential severity of consequences associated with loss, misuse, or compromise of those assets.
How to Use Data Type Selections
- Select all Data Types that may reasonably be shared with the vendor
- Do not limit selections to what is contractually intended; consider realistic operational access
- Data Types are evaluated after Business Case selection and do not affect controls in scope
- They are used solely to assess impact
Organization Data Types
These Data Types relate to assets owned by your organization.
Extreme Data Sensitivity
Monetary Assets
Cash and cash equivalents, including digital or virtual assets, where access could result in direct financial loss.
Authentication Credentials or Internal Encryption Keys
Credentials or cryptographic material that could be used to access or control your internal environment or protect your most sensitive data.
Financial Reporting
Information used to track, analyze, or report on business income, financial position, or assets.
Medium Data Sensitivity
Insider Information
Non-public information about the plans or condition of a publicly traded company that could provide a financial advantage.
Vulnerabilities
Undisclosed information about weaknesses that could be exploited by a threat actor.
Source Code
Code owned by your organization, including source, configuration, or executable descriptions of systems.
Employee Sensitive PII (Personal Identifiable Information)
Employee information that is sensitive in nature and typically subject to breach notification requirements.
Proprietary and Confidential Information
Information your organization seeks to keep confidential, such as business plans, trade secrets, or contracts.
Low Data Sensitivity
Less Sensitive Confidential Information
Information routinely shared with partners or customers but not publicly available in bulk.
Unrestricted Information
Information where unauthorized disclosure would result in little or no consequence.
Customer Data Types
These Data Types relate to data about individuals or organizations you serve, not your internal staff.
Extreme Data Sensitivity
Sensitive PII
Personal data which, if compromised, could result in substantial harm or inconvenience to an individual.
PHI (Protected Health Information)
Health-related information linked to a specific individual.
PCI (Payment Card Industry) Data
Cardholder data, including Primary Account Numbers (PANs).
Medium Data Sensitivity
PII and Additional Attributable Information
PII combined with other information that could enable social engineering or fraud.
Customer or Partner Proprietary Information
Confidential information entrusted to you by a customer or partner.
PII (Personal Identifiable Information)
Information that permits the identity of an individual to be inferred, directly or indirectly.
Low Data Sensitivity
Anonymous Customer Data
Data stripped of personal identifiers but still useful for analysis or trend identification.
Key Guidance
- Data Type selection is about impact severity, not likelihood
- Select conservatively when uncertainty exists
- Data Types do not change which controls apply
- They inform prioritization, scoring, and escalation within the system
Frequently Asked Questions
What qualifies as Monetary Assets?
Question
Does Monetary Assets mean access to bank account information (for example, an account number), or access to the account itself?
Answer
Monetary Assets refers to access to the account itself, sufficient to move, withdraw, or otherwise control funds.
Viewing account numbers, balances, or reports alone does not qualify unless the access could be used to directly transact or transfer value (including digital or virtual assets).
What counts as Authentication Credentials or Internal Encryption Keys?
Question
Does this include:
- API keys used between our systems and a vendor?
- A vendor managing encryption keys for data stored in their environment?
- Usernames and passwords we use to access a SaaS platform (for example, Salesforce logins)?
Answer
No. This Data Type applies only to credentials or cryptographic keys that could be used to access or control your internal environment or infrastructure beyond the vendor relationship.
It does not include:
- API keys used solely to interact with a vendor’s service
- Encryption keys managed by the vendor for their own environment
- Usernames and passwords used by your staff to log in to a vendor’s SaaS platform
Examples that would qualify include credentials that provide access to internal systems, cloud accounts, production infrastructure, or encryption keys protecting your most sensitive internal data.
How should Customer Data Types be interpreted?
Question
Do Customer Data Types apply to internal employees, or only to external users of our products and services?
Answer
Customer Data Types apply only to customers, end users, or partners outside your organization.
Information about employees or internal staff should be selected under the appropriate Organization Data Types, not Customer Data Types.
How precise do Data Type selections need to be?
Question
Should Data Types reflect only what is contractually shared, or what could realistically be accessed?
Answer
Data Types should reflect realistic operational access, not just contractual intent.
If a vendor could reasonably access a Data Type in the course of delivering the service—even indirectly—it should be selected. When in doubt, select conservatively.
