An organisation’s sensitive information and data are any data that need to be protected from data breaches or cyber-attacks, which may lead to its disclosure and result in compliance breaches, financial, or reputational damage. 

What constitutes sensitive data varies from organisation to organisation. Confidential information, such as non-public information around financial disclosures, customer transaction information, cardholder information, personally identifiable information, employee records, health data, and personal information, may be considered sensitive data. 

A good starting point is to understand which compliance and regulatory frameworks apply to your business and the kind of data you are obligated to protect through them. For example, the Graham-Leach-Bliley Act (GLBA) applies to financial institutions and their associates and requires these organisations to protect customer information. On the other hand, the General Data Protection Regulation (GDPR) requires that organisations protect personal data and personally identifiable information, or information that may identify an individual. Examples include religious, sexual, health and financial information, transaction data, or name, address, social security number, etc. Other applicable regulations include HIPAA, CCPA, PCI-DSS, and more.

Protecting sensitive information and data is critical for any cybersecurity strategy. The first step is to identify and prioritize the data and assets most worth defending. At a high level, this step is about understanding the business’s critical assets and processes and the risk scenarios that may impact them. In the process of doing this from the enterprise level through the operational level, you will build out the threat models that are most impactful to your business. Mapping these threat models into a framework such as Mitre ATT&CK will enable you to identify both your controls and those you lack. Here, you can also note whereyou have overlapping controls and potentially some unwanted control complexity in your environment. Each threat model you build must identify the impact on the business if the threat is realised. 

A robust cybersecurity framework can help address the confidentiality, integrity and availability of sensitive information and provide transparency on your organisation’s compliance posture and risk management efforts.