Data Classification Policy

Example from Mitoc Group.

1. OVERVIEW

Information classification is the process of assigning value to information in order to organize it according to its risk to loss or harm from disclosure. The Mitoc Group Inc (the “Company”) information classification and handling standard establishes a baseline derived from federal laws, state laws, regulations, company’s policies that govern the privacy and confidentiality of information.

2. PURPOSE

The purpose of this policy is to help manage and protect its information assets.

3. SCOPE

All employees, contractors, consultants, temporary and other workers at the Company and its subsidiaries must adhere to this policy. All Company’s associates share in the responsibility for ensuring that information assets receive an appropriate level of protection by observing this policy. This policy specifies requirements for equipment on the internal Company’s network.

4. POLICY

Company Managers or information ‘owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system presented below. (‘Owners” have approved management responsibility. ‘Owners’ do not have property rights.)

Where practicable, the information category shall be embedded in the information itself.

All Company associates shall be guided by the information category in their security-related handling

All Company information and all information entrusted to Company from third parties falls into one of four classifications in the table below, presented in order of increasing sensitivity.

4.1 Information Category: Unclassified Public

Information is not confidential and can be made public without any implications for Company. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.

Examples:

  • Product brochures widely distributed

  • Information widely available in the public domain, including publicly available Company web site areas

  • Sample downloads of Company software

  • Financial reports required by regulatory authorities

  • Newsletters for external transmission

4.2 Information Category: Proprietary

Information is restricted to management-approved internal access and protected from external access. Unauthorized access could influence Company’s operation effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in consumer confidence. Information integrity is vital.

Examples:

  • Passwords and information on corporate security procedures

  • Know-how used to process client information

  • Standard Operating Procedures used in all parts of Company’s business

  • All Company-developed software code, whether used internally or provided to clients

4.3 Information Category: Client Confidential Data

Information received from clients in any form for processing in production. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

Examples:

  • Client media

  • Electronic transmissions from clients

  • Client provided customer data

4.4. Information Category: Company Confidential Data

Information collected and used by the Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

Examples:

  • Salaries and other personnel data

  • Accounting data and internal financial reports

  • Confidential customer business data and confidential contracts

  • Non disclosure agreements with clients\vendors

  • Company business plans

5. POLICY COMPLIANCE

5.1 Compliance Measurement

The Information Security Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Information Security Team (security@mitocgroup.com) in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Attribution

This Data Classification Policy is derived Mitoc Group - source

This section is licensed: Mozilla Public License 2.0