Did you know that the type of data you have will dictate how it’s handled?

Not all records are created equal – some are public information (such as newspaper articles), and some are highly sensitive (such as medical records).

If the records themselves are unique, wouldn’t you expect that they’re scanned and digitized uniquely?

Before starting your digital scanning project, take a few minutes to learn about Material Security Classification Levels, what they mean, how they apply to your project, and how they’re implemented. 

You wouldn’t give just anyone sensitive data, right? 

This article will give you the info you need to make sure your documents are being handled appropriately.

What Is A Material Security Classification Level?

To improve the way that we handle data and run client projects, we created our own internal Material Security Classification Levels (“Security Levels”). 

A Security Level is the designation that’s assigned to a client project that clarifies how we’ll physically and digitally handle the records.

Not all records are the same: you might have public data like newspapers, or you might have sensitive data, like police reports. These are vastly different types of records and they should be handled in a way that suits their sensitivity level. 

We’ve identified five Security Levels that cover the range of project materials we work with:

  • Level 1: Unclassified
  • Level 2: Private
  • Level 3: Secure
  • Level 3 (CJIS): Secure (CJIS)
  • Level 4: Secret

These are internally-created Security Levels that allow us to immediately understand how to handle the material provided by our clients. 

In addition to identifying the Security Level, we also follow specific procedures based on the classification. These procedures include:

  • Material Handling & Storage
  • Data Storage
  • Data Access
  • Data Delivery
  • Requirements for BMI Hosting

Having a streamlined system for handling various types of records lets us quickly start projects in a secure way. 

In the sections below, we’ll give you the highlights of each Security Level so you can get a basic understanding of how each data type is processed, and an example of records that would be considered that type.

Security Level 1: Unclassified

Level 1 records are documents or materials that should contain no PII (personally identifiable information), PHI (protected health information), or ePHI (electronic protected health information), and whose content is publically available through other channels.

These records are handled with normal care and can be stored in any designated location within our facilities. They don’t require additional segmentation or protection, as they’re unclassified records. 

Also, they can be handled by all of our employees. 

When we deliver records from Level 1 projects to our clients, the data can be transmitted on unencrypted media (such as a USB) or by standard FTP (file transfer protocol), rather than SFTP (secure FTP). 

Newspapers are an example of Security Level 1 records.

Security Level 2: Private

Level 2 records are documents or materials that may contain PII and whose content is publicly available under controlled conditions (such as land records). “Controlled conditions” means that there is some process to obtain the records, such as asking a building department staffer to access a plan set. 

These records are handled with normal care and can be stored in any designated location within our facilities. They don’t require additional segmentation or protection, as they’re unclassified records. 

Level 2 records can be handled by all of our employees.

When we deliver records from Level 2 projects to our clients, the data should be transmitted on encrypted media or by SFTP.

Building department plans and permits are an example of Security Level 2 records.

Security Level 3: Secure

Level 3 records are documents or materials that contain PII or may contain PHI and whose content falls under access control regulations such as HIPAA, FERPA, and HITECH. 

Because of the increased sensitivity of these records, they’re kept in designated storage areas while at our facilities. Level 3 records are also stored in specific locations on our digital network to separate them from Level 1 and Level 2 records, and to provide audit tracking. 

These records may only be accessed by designated employees approved by our Security Officer.

Level 3 records are delivered to clients using encrypted media or by SFTP.

Student records and medical records are examples of Security Level 3 records.

Security Level 3 (CJIS): Secure (CJIS)

CJIS (FBI Criminal Justice Information Services) records are documents or materials that contain criminal justice information. The FBI CJIS Security Policy is the overarching document that specifies how CJIS records should be handled and protected. 

CJIS records are handled in a similar way to Level 3 records, but are kept separate from all other records and stored in CJIS-designated locations. Many clients with CJIS data require our employees to go through an additional Live Scan background check before working on their project.

CJIS records are delivered to clients using encrypted media or by SFTP.

Criminal court cases and police reports are examples of CJIS records.

Security Level 4: Secret

Level 4 records are documents or materials that contain highly sensitive information and whose content is such that access is tightly controlled and highly restricted. This information is typically additionally controlled via client or industry-specific requirements (such as USDOJ or DOD standards). 

These records are stored in physically segregated and access-controlled areas at all times, except when the materials are moved to specific production areas for processing. Once processed, they’re immediately returned to their designated storage area. Digital storage for Level 4 records is also separate and distinct from other Security Level projects; in some cases, we utilize separate hardware on a separate network from our other projects.

Only specific employees, designated by our Security Officer and approved by the data owner, can access and handle Level 4 records. 

Level 4 records are delivered to clients using encrypted media or by SFTP using an encryption method specified by the data owner. 

Federal-level confidential documents are an example of Level 4 records.

Security Classification & Digital Conversion

Why does all this security classification matter to you?

Because all records are not created equal, and you want to know that yours are being handled in the right way. 

If you have confidential medical records, you probably don’t want those just laying around a shop floor intermingled with other records – everything jumbled together and being processed on the same network and by the same people without audit trails.

Over multiple decades and thousands of projects, we’ve slowly and incrementally built and improved our security methods to provide to our clients what we offer today: a methodical and meticulous workflow to handle, scan, process, and deliver your records based on the level of security your data warrants.

Verifying Security Level Adherence

Should you take our word for it that this is what we do?

No. You should verify that we do it.

Each year, our Security Team completes an internal audit of physical and network security procedures. Our audit contains over 45 distinct tasks that require a Security Team member to complete the task, another Team member to verify the task was completed (correctly), and supporting documentation. 

In addition to our internal audit, we are also audited by an independent firm for SOC 2 Type II compliance

Security is something that can’t be faked for long. 

Make sure your records are in the right hands.

Next Steps

Reach out to us today! Click the “Get Your Quote” button below, fill out the form, and we’ll quickly reply to you to discuss your project.

Further Reading

Check out three other blogs about security and digital conversion:

“Choosing A Partner For Your Secure Scanning Project” describes key items to consider when choosing a scanning partner including physical security setup, digital and network security processes, and security credentials (such as audits). 

“CJIS Digital Scanning” is our overview of how to scan criminal justice information (CJI) for law enforcement agencies. If your office is handling and processing CJI, this is a starting point for you to understand what CJIS means and why it’s important to you. 

“HIPAA Compliance & Document Conversion” relates to health records, which are rife with sensitive information. Read up on compliance and why digitizing your hard copy records can be a step in the right direction for your company.