Policy
Policy Name
Information Classification Policy

Overview
Information (or Data) Classification is the process of classifying information into high level categories based on sensitivity and value to the organization. The higher the level of data classification (e.g. Confidential or Secret), the higher level of security controls and focus should be in place to protect the sensitive information.

Statement
  • The organization must classify, label and manage information based on sensitivity and business value in accordance with legal and regulatory requirements.
  • Information shall be classified using one of the following categories in order of least to most valuable to the organization:
    • Public: data intended for public consumption and is not deemed sensitive. Unauthorized disclosure would have no impact to organization
    • Internal: data intended for use in normal internal business operations and is not defined as sensitive, but requires limited security controls. Unauthorized disclosure would have little to moderate impact to organization
    • Confidential: data that is sensitive to the organization and must have a high level of security controls for data protection. Examples include but not limited to Personally Identified Information (customer names, SSN's, credit card numbers, employee ID's, etc.), financial reports, and network diagrams. Unauthorized disclosure would have a serious impact on the organization and can affect the financial or legal status of the organization or lead to breach of employee or customer privacy
    • Secret: data is the most sensitive and valuable to the organization and must have the highest level of security controls for data protection. Examples include but not limited to marketing plans, trade secrets, and intellectual property. Unauthorized disclosure would have a severe or catostrophic impact on the organization that can affect the financial, legal status and brand of the organization.
  • Information must be classified regardless of media type (e.g. hard disks, tapes, removable media) and location.
  • The information owner is responsible for determining the information classification and updating as appropriate.
  • Authenticated credentials (e.g. passwords) are classified as secret and must be strictly controlled and protected from unauthorized disclosure.

Justification

The following benefits will be achieved:

  • Data protection and prevention of unauthorized disclosure of sensitive information
  • Prioritization of data protection for the most sensitive and valuable information.

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up and including termination of employment or contract.

Topics
Information (Data) Classification, Labeling and Handling
Asset Management