Information Classification

From Officience

Jump to: navigation, search

Contents

1 Introduction
2 Scope
3 Responsibilities
- 3.1 Members of Officience
- 3.2 Information Security Team
4 Training and Awareness
5 Information Classification
6 Data Handling Guideline
- 6.1 Data storage
- 6.2 Data retention and disposal

Introduction

The purpose of this document is to support the classification of data to allow for the protection of Officience data, or data held by Officience, in terms of confidentiality, integrity, and availability

Scope

This policy covers all information held by and on behalf of Officience, whether digital or paper. The handling rules will apply to members of the company including staff and to the third parties processing or handling company information where the company holds information on behalf of another organization with its own information classification, the agreement will be reached as to which set of handling rules will apply.

Responsibilities

Members of Officience

All information owners are responsible for ensuring that this policy is adopted and that sensitive information they produce is appropriately protected and marked with the appropriate classification. Officience members must respect the security classification of any information as defined, and must report any data loss or unauthorized disclosure, access or alteration of classified information to the ITS or to the Information Security Team as quickly as possible (with reference to the Information Security Incident Management Procedure.

Information Security Team

Responsible for advising on and recommending information security standards on data classification.

Training and Awareness

Employees will be made aware of this policy through communications, training and awareness events.

Information Classification

Information created and received by Officience should be classified according to the sensitivity of its contents. Classification and controls should take account of organization needs for sharing or restricting information, and the associated impacts and risks, e.g. unauthorized access or damage to the information.
Collections of diverse information should be classified as to the most secure classification level of an individual information component with aggregated information.

Data Classification	Description	Example Data Types
Confidential	A subset of information handled by Officience where the inappropriate use of the information could have damaging consequences for Officience, for an individual (or group of individuals), or other organizations. Consequences if the information is mishandled: Unauthorized disclosure likely to result in significant adverse impact, embarrassment or penalties to Officience, its stakeholders, employees, or members of the public.	Business contract Customer-related documents Customer information Employee medical record Specified by customers Network infrastructure System configurations (servers, routers, switches, etc.) System accounts credentials Information that could be used to compromise the security of Officience information such as internal IP addresses, details of security measures and versions of security products Commercial or market -sensitive information such as details of potential supplier bids prior to contract award, pricing schedules, customer details, details of unique aspects of a business model, tender information for unsuccessful bidders Personally Identifiable Information Financial information Risk registers Major security or business continuity issues;
Internal	This information applies to less sensitive business information which is intended for use within Officience and shall not be distributed outside of Officience. Its unauthorized disclosure could adversely impact Officience, its employees, and/or its customers but the impact would not be devastating. Information, which is considered to be private to the organization, is included in this classification	Project documents Internal policies and procedures Operational information, e.g. relating to organizational change planning, contentious negotiations
Public	This classification applies to information which has been explicitly approved by Officience management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be viewed by anyone, anywhere inside/outside Officience without potential harm.	Non person-identifiable information Marketing materials (ie Offy handbook, service brochure…) advertisement Job opening Announcement Press releases

Data Handling Guideline

Data storage


Location	Confidential	Internal	Public
Officience owned PC storage (for individual use)	Following password policy Lock screen when unattended Must be part of a standard backup policy	Following password policy Lock screen when unattended Must be part of a standard backup policy	No special measures
Shared hard drive - Officience PC storage	Permitted. Must set the permissions for authorized users	Permitted	Not permitted
Officience owned PC for public use (ie meeting room)	Not permitted High risk of an incidental disclosure Log out and shut down the PC Apply clean screen and trash bin policy	Not permitted High risk of an incidental disclosure Log out and shut down the PC Apply clean screen policy	No special measures
Personally owned (ie Laptop)	Must follow BYOD policy	Must follow BYOD policy	No special measures
Personally owned Smartphone or tablet	Not permitted. Maybe used for read-only if the file stored in Cloud Device to be protected by strong password, with a maximum of 10 minutes inactivity until device locks.	No creation/ editing/ storage of classified material permitted on device Maybe used for read-only if the file stored in Cloud Device to be protected by strong password, with a maximum of 10 minutes inactivity until device locks.	May be used for remote connection to access files Creation/ editing/ storage is permitted
Small capacity portable storage devices (e.g. USB, CD,)	Avoid use where possible Consider alternative means of transfer/ access instead ie use shared drive.	Use the encrypted USB drive Not suitable for long-term storage Keep in lockable cabinet/drawer which is locked when unattended	Not suitable for long-term storage
Large capacity portable storage devices (i.e. external hard drive)	Avoid use where possible Permitted in limited circumstances only. The device must be encrypted. Contact ITS for the encryption.	Permitted in limited circumstances only. The device must be encrypted. Contact ITS for the encryption.	If these are required, contact IT Support
‘Cloud’ storage (ie GDrive)	If restricted to authorized recipients	If restricted to Officience	Could be shared public
Sending from Company hosted email account to another internal email account	Marked confidential and double check recipient Only share to individual who need to know Enable undo send for account Avoid auto forwarding to another email account	Double check recipient Enable undo send for account Avoid auto forwarding to another email account	Permitted
Sending from Company hosted email account to an external account	Only for the individuals that are the owners or the customer of the information	Only for limited circumstances if the recipient does not have a Officience email account and for a business purpose Only share to individual who need to know Double check recipient Use password to protect the data. Send password separately or use the password has been discussed before. Enable undo send for account Avoid auto forwarding to another email account	Permitted
Sending from an externally provided personal email account (e.g. Hotmail, Gmail etc)	Not permitted	Not permitted	Not permitted unless sending to the company email account
Paper copies	Consider: Protection from fire and flood damage In restricted access (working area): In lockable cabinet/drawer which is locked when not in active use. No papers left out unless being actively worked on. Segregate from routine files In unrestricted access: Not permitted Alternative: create/convert to the electronic document Off-site working: Not permitted	Consider: Protection from fire and flood damage In restricted access (working area) Requirement: In lockable cabinet/drawer which is locked when not in active use. No papers left out unless being actively worked on. In unrestricted access: In lockable cabinet/drawer which is locked when not in active use. No papers left out unless being actively worked on. Off-site working: Not permitted	No special measures
Printing/scanning/ photocopying	Proactively protect against accidental compromise, for example don’t leave in copiers, check all pages retrieved.	Proactively protect against accidental compromise, for example don’t leave in copiers, check all pages retrieved.	No special measures
Telephone conversation	Requirement: Ensure conversations cannot be overheard. Manage calls to ensure only authorized individual present.	Requirement: Ensure conversations cannot be overheard. Manage calls to ensure only authorized individual present.	No special measures

Data retention and disposal


Data Classification	Physical	Digital
Confidential	Physical media exceeded the retention period should be shredded (for paper) or destroyed (CD, tape, etc.) so that data on the media cannot be recovered or reconstructed.	Data reach the retention period shall be deleted and unrecoverable (e.g. eraser, zero-fill, etc.). Ask IT Support to secure delete if you don’t make sure the data is totally wiped.
Internal	Physical media exceeded the retention period should be shredded (for paper) or destroyed (CD, tape, etc.) so that data on the media cannot be recovered or reconstructed.	Data reach the retention period shall be deleted and unrecoverable (e.g. eraser, zero-fill, etc.).
Public	No protection requirements. Recycle where possible	No protection requirements. Recycle where possible

Retrieved from "http://wiki.officience.com/index.php?title=Information_Classification&oldid=1047"