Policy
Policy Name
Information Labeling, Handling and Disposal Policy

Overview
This policy describes the requirements to properly label, handle, dispose and protect information (or data) based on data classification levels.

Statement
  • Information must be labeled regardless of media type (e.g. hard disks, tapes, removable media) and location.
  • Electronic information (e.g. e-mail, files, databases) must display or include the data classification to allow the appropriate protection and access to the information.
  • Printed information (e.g. reports, documents) must display the data classification that is clearly legible.
  • Sensitive information (e.g. Confidential or Secret) must be secured from unauthorized access or misuse.
  • Locked bins must be used to store sensitive documents or media (awaiting disposal or transportation).
  • Information must be transported and secured using an approved vendor or company process to protect information based on its data classification.
  • Information must be disposed of appropriately:
    • Evidence of hand-off of information to disposal vendor (if third party is used)
    • Paper documents and removable media (e.g. tapes, CD's) must be cross-cut shredded or incinerated
    • Destruction of information must be certified by disposal vendor
    • Hard disks must be disposed of according to hard disk disposal guidelines and procedures

Justification

The following benefits will be achieved:

  • Data protection and prevention of unauthorized disclosure of sensitive information
  • Information will be properly labeled, handled and disposed of according to data classification

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up and including termination of employment or contract.

Topics
Information (Data) Classification, Labeling and Handling