Sensitive HR Tickets

Working on a Service Catalog Item that will have sensitive Incidents.  The incidents can only be seen by certain individuals.

My thought on how to deal with this is to create a category for these and then modify roles so that only certain roles will be able to see them, this would include Administrators.  

Is this about the only way I would be able to do something like this?