Data Classification Policy Sample

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

%ORGANIZATION BANNER%

Version V1.00.01

Data Classification Policy


Purpose
The purpose of the %ORGANIZATION% Data Classification Policy is to provide a
system for protecting information that is critical to the organization, and its customers. In
order to provide more appropriate levels of protection to the information assets entrusted
to %ORGANIZATION%, data must be classified according to the risks associated with
its storage, processing, and transmission. Consistent use of this data classification policy
will facilitate more efficient business activities and lower the costs of ensuring adequate
information security.
Audience
The %ORGANIZATION% Data Classification Policy applies equally to any individual,
or process that interacts with %ORGANIZATION% Information Resources in any
tangible manner. All personnel who may come in contact with Confidential information
are expected to familiarize themselves with this Data Classification Policy and
consistently use it.
Policy
Responsibility for Data Management
Data is a critical asset of %ORGANIZATION%, its business partners, and its
customers. All individuals employed by %ORGANIZATION% have the
responsibility to protect the Confidentiality, Integrity, and Availability of the data
generated, accessed, modified, transmitted, stored and/or used by
%ORGANIZATION%, irrespective of the medium on which the data resides and
regardless of format (i.e. electronic, paper or other physical form).

Data User
The Data User is a person, organization or entity that interacts with data for the
purpose of performing an authorized task. A Data User is responsible for using
data in a manner that is consistent with the purpose intended and in compliance
with policy.

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the
business process associated with an information asset. The Data Owner is
knowledgeable about how the information is acquired, transmitted, stored,
deleted, and otherwise processed.
• The Data Owner determines the appropriate value and classification of
information generated by the owner or department;
• The Data Owner must communicate the information classification when
the information is released outside of the department and/or
%ORGANIZATION%;
• The Data Owner controls access to his/her information and must be
consulted when access is extended or modified; and
• The Data Owner must communicate the information classification to the
Data Custodian so that the Data Custodian may provide the appropriate
levels of protection.

Data Custodian
• The Data Custodian maintains the protection of data according to the
information classification associated to it by the Data Owner.
• The Data Custodian role is delegated by the Data Owner and is usually
Information Technology personnel.

Data Classifications
Data owned, used, created or maintained by %ORGANIZATION% is classified into
one of the following three categories:
• Public
• Internal
• Confidential

Public Data
Public data is information that may or must be open to the general public. It is
defined as information with no existing local, national, or international legal
restrictions on access or usage. Public data, while subject to %ORGANIZATION%
disclosure rules, is available to all %ORGANIZATION% employees and all
individuals or entities external to the corporation.

Examples of Public Data include:


• Publicly posted press releases
• Publicly available marketing materials
• Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure
agreements.
Internal Data
Internal Data is information that must be guarded due to proprietary, ethical, or
privacy considerations and must be protected from unauthorized access, modification,
transmission, storage or other use. This classification applies even though there may
not be a civil statute requiring this protection. Internal Data is information that is
restricted to personnel designated by %ORGANIZATION%, who have a legitimate
business purpose for accessing such data.

Examples of Internal Data include:


• Employment data
• Business partner information where no more restrictive confidentiality
agreement exists
• Internal directories and organization charts
• Planning documents
• Contracts

Internal Data:
• Must be protected to prevent loss, theft, unauthorized access and/or
unauthorized disclosure
• Must be protected by a confidentiality agreement before access is allowed
• Must be stored in a closed container (i.e. file cabinet, closed office, or
department where physical controls are in place to prevent disclosure) when
not in use.
• Must be destroyed when no longer needed subject to the
%ORGANIZATION% Data Retention Policy. Destruction may be
accomplished by:
o “Hard Copy” materials must be destroyed by shredding or another
approved process which destroys the data beyond either recognition or
reconstruction as per the %ORGANIZATION% Data Destruction and Re-
Use Standard.
o Electronic storage media shall be sanitized appropriately by overwriting or
degaussing prior to disposal as per the %ORGANIZATION% Data
Destruction and Re-Use Standard.
• Is the “default” classification level if one has not been explicitly defined.
Confidential Data
Confidential Data is information protected by statutes, regulations,
%ORGANIZATION% policies or contractual language. Managers may also
designate data as Confidential. Confidential information shall also include material,
non-disclosed information as defined under Regulation D by the Security and
Exchange Commission.
Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited
to individuals on a “need-to-know” basis only.

Disclosure to parties outside of %ORGANIZATION% must be authorized by


executive management, approved by a Vice President and General Counsel, or
covered by a binding confidentiality agreement.

Examples of Confidential Data include:


• Medical records
• Clinical trial data
• Safety data
• Social Security Numbers
• Personnel and/or payroll records
• Any data identified by government regulation to be treated as confidential, or
sealed by order of a court of competent jurisdiction
• Any data belonging to an %ORGANIZATION% customer that may contain
personally identifiable information
• Patent information
• Regulatory filings

Confidential Data:
• When stored in an electronic format must be protected with a minimum level
of authentication to include strong passwords, wherever possible.
• When stored on mobile devices and media, protections and encryption
measures provided through mechanisms approved by %ORGANIZATION%
IT Management must be employed.
• Must be stored in a locked drawer, room, or area where access is controlled by
a guard, cipher lock, and/or card reader, or that otherwise has sufficient
physical access control measures to afford adequate protection and prevent
unauthorized access by members of the public, visitors, or other persons
without a need-to-know.
• Must be encrypted with strong encryption when transferred electronically to
any entity outside of %ORGANIZATION%.
• When sent via fax, must be sent only to a previously established and used
address or one that has been verified as using a secured location
• Must not be posted on any public website
• Must be destroyed when no longer needed subject to the
%ORGANIZATION% Data Retention Policy. Destruction may be
accomplished by:
o “Hard Copy” materials must be destroyed by shredding or another
approved process that destroys the data beyond either recognition or
reconstruction as per the %ORGANIZATION% Data Destruction and Re-
Use Standard.
o Electronic storage media that will be re-used must be overwritten
according to the %ORGANIZATION% Data Destruction and Re-Use
Standard.
o Electronic storage media that will not be re-used must be physically
destroyed according to the %ORGANIZATION% Data Destruction and
Re-Use Standard.
o Deleting files or formatting the media is NOT an acceptable method of
destroying Confidential Data.

The %ORGANIZATION% Information Security Officer or the Director of Information


Systems must be notified in a timely manner if data classified as Confidential is lost,
disclosed to unauthorized parties or is suspected of being lost or disclosed to
unauthorized parties, or if any unauthorized use of %ORGANIZATION% information
systems has taken place or is suspected of taking place.

Version History
Version Number Date Reason/Comments

V1.00.00 November, 2006 Document Origination

You might also like