Data Classification Policy Sample
Data Classification Policy Sample
Data Classification Policy Sample
Version V1.00.01
Data User
The Data User is a person, organization or entity that interacts with data for the
purpose of performing an authorized task. A Data User is responsible for using
data in a manner that is consistent with the purpose intended and in compliance
with policy.
Data Owner
The Data Owner is normally the person responsible for, or dependent upon the
business process associated with an information asset. The Data Owner is
knowledgeable about how the information is acquired, transmitted, stored,
deleted, and otherwise processed.
• The Data Owner determines the appropriate value and classification of
information generated by the owner or department;
• The Data Owner must communicate the information classification when
the information is released outside of the department and/or
%ORGANIZATION%;
• The Data Owner controls access to his/her information and must be
consulted when access is extended or modified; and
• The Data Owner must communicate the information classification to the
Data Custodian so that the Data Custodian may provide the appropriate
levels of protection.
Data Custodian
• The Data Custodian maintains the protection of data according to the
information classification associated to it by the Data Owner.
• The Data Custodian role is delegated by the Data Owner and is usually
Information Technology personnel.
Data Classifications
Data owned, used, created or maintained by %ORGANIZATION% is classified into
one of the following three categories:
• Public
• Internal
• Confidential
Public Data
Public data is information that may or must be open to the general public. It is
defined as information with no existing local, national, or international legal
restrictions on access or usage. Public data, while subject to %ORGANIZATION%
disclosure rules, is available to all %ORGANIZATION% employees and all
individuals or entities external to the corporation.
Disclosure of public data must not violate any pre-existing, signed non-disclosure
agreements.
Internal Data
Internal Data is information that must be guarded due to proprietary, ethical, or
privacy considerations and must be protected from unauthorized access, modification,
transmission, storage or other use. This classification applies even though there may
not be a civil statute requiring this protection. Internal Data is information that is
restricted to personnel designated by %ORGANIZATION%, who have a legitimate
business purpose for accessing such data.
Internal Data:
• Must be protected to prevent loss, theft, unauthorized access and/or
unauthorized disclosure
• Must be protected by a confidentiality agreement before access is allowed
• Must be stored in a closed container (i.e. file cabinet, closed office, or
department where physical controls are in place to prevent disclosure) when
not in use.
• Must be destroyed when no longer needed subject to the
%ORGANIZATION% Data Retention Policy. Destruction may be
accomplished by:
o “Hard Copy” materials must be destroyed by shredding or another
approved process which destroys the data beyond either recognition or
reconstruction as per the %ORGANIZATION% Data Destruction and Re-
Use Standard.
o Electronic storage media shall be sanitized appropriately by overwriting or
degaussing prior to disposal as per the %ORGANIZATION% Data
Destruction and Re-Use Standard.
• Is the “default” classification level if one has not been explicitly defined.
Confidential Data
Confidential Data is information protected by statutes, regulations,
%ORGANIZATION% policies or contractual language. Managers may also
designate data as Confidential. Confidential information shall also include material,
non-disclosed information as defined under Regulation D by the Security and
Exchange Commission.
Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited
to individuals on a “need-to-know” basis only.
Confidential Data:
• When stored in an electronic format must be protected with a minimum level
of authentication to include strong passwords, wherever possible.
• When stored on mobile devices and media, protections and encryption
measures provided through mechanisms approved by %ORGANIZATION%
IT Management must be employed.
• Must be stored in a locked drawer, room, or area where access is controlled by
a guard, cipher lock, and/or card reader, or that otherwise has sufficient
physical access control measures to afford adequate protection and prevent
unauthorized access by members of the public, visitors, or other persons
without a need-to-know.
• Must be encrypted with strong encryption when transferred electronically to
any entity outside of %ORGANIZATION%.
• When sent via fax, must be sent only to a previously established and used
address or one that has been verified as using a secured location
• Must not be posted on any public website
• Must be destroyed when no longer needed subject to the
%ORGANIZATION% Data Retention Policy. Destruction may be
accomplished by:
o “Hard Copy” materials must be destroyed by shredding or another
approved process that destroys the data beyond either recognition or
reconstruction as per the %ORGANIZATION% Data Destruction and Re-
Use Standard.
o Electronic storage media that will be re-used must be overwritten
according to the %ORGANIZATION% Data Destruction and Re-Use
Standard.
o Electronic storage media that will not be re-used must be physically
destroyed according to the %ORGANIZATION% Data Destruction and
Re-Use Standard.
o Deleting files or formatting the media is NOT an acceptable method of
destroying Confidential Data.
Version History
Version Number Date Reason/Comments