Types of Data
Start course

This course is the second installment of three courses covering Domain 2 of the CSSLP, covering the topic of data classification and categorization.

Learning Objectives

  • Understand the fundamentals of data classification and categorization
  • Learn about the security implications of data ownership and labeling
  • Learn about different data types and the data lifecycle

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification, or for anyone interested in the topics it covers.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


We have to, of course, define what we mean by confidentiality. Now, this seems an obvious thing, but we have already defined that confidentiality means confidentiality for non-individually identifiable information and confidentiality for what we term private information or sensitive information about persons. So we need to be very specific about what we mean and it needs to be contextually specific. It could be about trade secrets. It could be about the privacy information that is individually identifiable, such as PII or PHI. And then we have certain special categories that would include things like national security or critical infrastructure. And if those apply, we need to be equally certain and clear about our definitions for those.

Likewise, we need to define what we mean by integrity. Integrity is a somewhat nondescript or difficult-to-describe characteristic. We simply know that the data is or must be kept trustworthy by how it's manipulated by authorized people and that no unauthorized person can have any access to it whatever. So we need to come up with prevention and detection methods so that contamination and corruption are hopefully avoided at creation or data entry, or the receipt, if we are on the receiving end of it, or methods to detect it, should it arise at some point after we've received it.

The end of this, of course, is to ensure always that the data is as authentic and as trustworthy as we need it to be for the particular process. We need to define our availability and we need to know what requirements we have in this area to ensure that the information is always accessible, and, to the extent we can, ensure that it's timely for all authorized users and uses.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.