Data Classification Policy¶
Example from Mitoc Group.
Information classification is the process of assigning value to information in order to organize it according to its risk to loss or harm from disclosure. The Mitoc Group Inc (the “Company”) information classification and handling standard establishes a baseline derived from federal laws, state laws, regulations, company’s policies that govern the privacy and confidentiality of information.
The purpose of this policy is to help manage and protect its information assets.
All employees, contractors, consultants, temporary and other workers at the Company and its subsidiaries must adhere to this policy. All Company’s associates share in the responsibility for ensuring that information assets receive an appropriate level of protection by observing this policy. This policy specifies requirements for equipment on the internal Company’s network.
Company Managers or information ‘owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system presented below. (‘Owners” have approved management responsibility. ‘Owners’ do not have property rights.)
Where practicable, the information category shall be embedded in the information itself.
All Company associates shall be guided by the information category in their security-related handling
All Company information and all information entrusted to Company from third parties falls into one of four classifications in the table below, presented in order of increasing sensitivity.
4.1 Information Category: Unclassified Public¶
Information is not confidential and can be made public without any implications for Company. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
Product brochures widely distributed
Information widely available in the public domain, including publicly available Company web site areas
Sample downloads of Company software
Financial reports required by regulatory authorities
Newsletters for external transmission
4.2 Information Category: Proprietary¶
Information is restricted to management-approved internal access and protected from external access. Unauthorized access could influence Company’s operation effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in consumer confidence. Information integrity is vital.
Passwords and information on corporate security procedures
Know-how used to process client information
Standard Operating Procedures used in all parts of Company’s business
All Company-developed software code, whether used internally or provided to clients
4.3 Information Category: Client Confidential Data¶
Information received from clients in any form for processing in production. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
Electronic transmissions from clients
Client provided customer data
4.4. Information Category: Company Confidential Data¶
Information collected and used by the Company in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
Salaries and other personnel data
Accounting data and internal financial reports
Confidential customer business data and confidential contracts
Non disclosure agreements with clients\vendors
Company business plans
5. POLICY COMPLIANCE¶
5.1 Compliance Measurement¶
The Information Security Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security Team (email@example.com) in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.