Data Classification Policy
Overview
Information assets are assets to the company just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to company operations and the confidentiality of its contents. Once this has been determined, the company can take steps to ensure that data is treated appropriately.
Purpose
The purpose of this policy is to detail a method for classifying data and to specify how to handle this data once it has been classified.
Scope
The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc.
Policy
Data Classification
Data residing on corporate systems must be continually evaluated and classified into the following categories:
-
Personal: includes user's personal data, emails, documents, etc. This policy excludes personal information, so no further guidelines apply.
-
Public: includes already-released marketing material, commonly known information, etc. There are no requirements for public information.
-
Operational: includes data for basic business operations, communications with vendors, employees, etc. (non-confidential).
-
Critical: any information deemed critical to business operations (often this data is operational or confidential as well). It is extremely important to identify critical data for security and backup purposes.
-
Confidential: any information deemed proprietary to the business. See the Confidential Data Policy for more detailed information about how to handle confidential data.
Data Storage
The following guidelines apply to storage of the different types of company data.
-
Personal: There are no requirements for personal information.
-
Public: There are no requirements for public information.
-
Operational: Operational data must be stored where the backup schedule is appropriate to the importance of the data, at the discretion of the user.
-
Critical: Critical data must be stored on a server that gets the most frequent backups (refer to the Backup Policy for additional information). System- or disk-level redundancy is required.
-
Confidential: Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Physical copies of confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.
Data Transmission
The following guidelines apply to transmission of the different types of company data.
-
Personal: There are no requirements for personal information.
-
Public: There are no requirements for public information.
-
Operational: No specific requirements apply to transmission of Operational Data, however, as a general rule, the data should not be transmitted unless necessary for business purposes.
-
Critical: There are no requirements on transmission of critical data, unless the data in question is also considered operational or confidential, in which case the applicable policy statements would apply.
-
Confidential: The guidelines for transmission of confidential data set forth in Section 4 of the Confidential Data Policy shall apply to all confidential information.
Data Destruction
The following guidelines apply to the destruction of the different types of company data.
-
Personal: There are no requirements for personal information.
-
Public: There are no requirements for public information.
-
Operational: Cross-cut shredding is required for documents. Storage media should be appropriately sanitized/wiped or destroyed.
-
Critical: There are no requirements for the destruction of Critical Data, though shredding is encouraged. If the data in question is also considered operational or confidential, the applicable policy statements would apply.
-
Confidential: Confidential data must be destroyed in a manner that makes recovery of the information impossible. The guidelines for data destruction set forth in Section 4 of the Confidential Data Policy shall apply to all confidential data.
Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
Enforcement
This policy will be enforced by the Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
Definitions
-
Authentication A security method used to verify the identity of a user and authorize access to a system or network.
-
Backup To copy data to a second location, solely for the purpose of safe keeping of that data.
-
Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.
-
Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.
-
Two-Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.