Information Classification

From Officience
Revision as of 16:17, 28 October 2019 by Duykhang.nguyen (talk | contribs) (Created page with "== Introduction == The purpose of this document is to support the classification of data to allow for the protection of Officience data, or data held by Officience, in terms o...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

The purpose of this document is to support the classification of data to allow for the protection of Officience data, or data held by Officience, in terms of confidentiality, integrity, and availability

Scope

This policy covers all information held by and on behalf of Officience, whether digital or paper. The handling rules will apply to members of the company including staff and to the third parties processing or handling company information where the company holds information on behalf of another organization with its own information classification, the agreement will be reached as to which set of handling rules will apply.

Responsibilities

Members of Officience

All information owners are responsible for ensuring that this policy is adopted and that sensitive information they produce is appropriately protected and marked with the appropriate classification. Officience members must respect the security classification of any information as defined, and must report any data loss or unauthorized disclosure, access or alteration of classified information to the ITS or to the Information Security Team as quickly as possible (with reference to the Information Security Incident Management Procedure.

Information Security Team

Responsible for advising on and recommending information security standards on data classification.

Training and Awareness

Employees will be made aware of this policy through communications, training and awareness events.

Information Classification

  1. Information created and received by Officience should be classified according to the sensitivity of its contents. Classification and controls should take account of organization needs for sharing or restricting information, and the associated impacts and risks, e.g. unauthorized access or damage to the information.
  2. Collections of diverse information should be classified as to the most secure classification level of an individual information component with aggregated information.
Data Classification Description Example Data Types
Confidential A subset of information handled by Officience where the inappropriate use of the information could have damaging consequences for Officience, for an individual (or group of individuals), or other organizations.

Consequences if the information is mishandled: Unauthorized disclosure likely to result in significant adverse impact, embarrassment or penalties to Officience, its stakeholders, employees, or members of the public.

  • Business contract
  • Customer-related documents
  • Customer information
  • Employee medical record
  • Specified by customers
  • Network infrastructure
  • System configurations (servers, routers, switches, etc.)
  • System accounts credentials
  • Information that could be used to compromise the security of Officience information such as internal IP addresses, details of security measures and versions of security products
  • Commercial or market -sensitive information such as details of potential supplier bids prior to contract award, pricing schedules, customer details, details of unique aspects of a business model, tender information for unsuccessful bidders
  • Personally Identifiable Information
  • Financial information
  • Risk registers
  • Major security or business continuity issues;
Internal This information applies to less sensitive business information which is intended for use within Officience and shall not be distributed outside of Officience. Its unauthorized disclosure could adversely impact Officience, its employees, and/or its customers but the impact would not be devastating. Information, which is considered to be private to the organization, is included in this classification
  • Project documents
  • Internal policies and procedures
  • Operational information, e.g. relating to organizational change planning, contentious negotiations
Public This classification applies to information which has been explicitly approved by Officience management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be viewed by anyone, anywhere inside/outside Officience without potential harm.
  • Non person-identifiable information
  • Marketing materials (ie Offy handbook, service brochure…)
  • advertisement
  • Job opening
  • Announcement
  • Press releases

Data Handling Guideline

Data storage

Location Confidential Internal Public
Officience owned PC storage (for individual use) Following password policy

Lock screen when unattended Must be part of a standard backup policy

Following password policy

Lock screen when unattended Must be part of a standard backup policy

No special measures
Shared hard drive - Officience PC storage Permitted.

Must set the permissions for authorized users

Permitted Not permitted
Officience owned PC for public use (ie meeting room) Not permitted

High risk of an incidental disclosure Log out and shut down the PC Apply clean screen and trash bin policy

Not permitted

High risk of an incidental disclosure Log out and shut down the PC Apply clean screen policy

No special measures
Personally owned (ie Laptop) Must follow BYOD policy Must follow BYOD policy No special measures
Personally owned Smartphone or tablet Not permitted.

Maybe used for read-only if the file stored in Cloud Device to be protected by strong password, with a maximum of 10 minutes inactivity until device locks.

No creation/ editing/ storage of classified material permitted on device

Maybe used for read-only if the file stored in Cloud Device to be protected by strong password, with a maximum of 10 minutes inactivity until device locks.

May be used for remote connection to access files

Creation/ editing/ storage is permitted

Small capacity portable storage devices (e.g. USB, CD,) Avoid use where possible

Consider alternative means of transfer/ access instead ie use shared drive.

Use the encrypted USB drive

Not suitable for long-term storage Keep in lockable cabinet/drawer which is locked when unattended

Not suitable for long-term storage
Large capacity portable storage devices (i.e. external hard drive) Avoid use where possible

Permitted in limited circumstances only. The device must be encrypted. Contact ITS for the encryption.

Permitted in limited circumstances only.

The device must be encrypted. Contact ITS for the encryption.

If these are required, contact IT Support
‘Cloud’ storage (ie GDrive) If restricted to authorized recipients If restricted to Officience Could be shared public
Sending from Company hosted email account to another internal email account Marked confidential and double check recipient

Only share to individual who need to know Enable undo send for account Avoid auto forwarding to another email account

Double check recipient

Enable undo send for account Avoid auto forwarding to another email account

Permitted
Sending from Company hosted email account to an external account Only for the individuals that are the owners or the customer of the information Only for limited circumstances if the recipient does not have a Officience email account and for a business purpose

Only share to individual who need to know Double check recipient Use password to protect the data. Send password separately or use the password has been discussed before. Enable undo send for account Avoid auto forwarding to another email account

Permitted
Sending from an externally provided personal email account (e.g. Hotmail, Gmail etc) Not permitted Not permitted Not permitted unless sending to the company email account
Paper copies Consider: Protection from fire and flood damage

In restricted access (working area): In lockable cabinet/drawer which is locked when not in active use. No papers left out unless being actively worked on. Segregate from routine files In unrestricted access: Not permitted Alternative: create/convert to the electronic document Off-site working: Not permitted

Consider: Protection from fire and flood damage

In restricted access (working area) Requirement: In lockable cabinet/drawer which is locked when not in active use. No papers left out unless being actively worked on. In unrestricted access: In lockable cabinet/drawer which is locked when not in active use. No papers left out unless being actively worked on. Off-site working: Not permitted

No special measures
Printing/scanning/ photocopying Proactively protect against accidental compromise, for example don’t leave in copiers, check all pages retrieved. Proactively protect against accidental compromise, for example don’t leave in copiers, check all pages retrieved. No special measures
Telephone conversation Requirement:

Ensure conversations cannot be overheard. Manage calls to ensure only authorized individual present.

Requirement:

Ensure conversations cannot be overheard. Manage calls to ensure only authorized individual present.

No special measures

Data retention and disposal

Data Classification Physical Digital
Confidential Physical media exceeded the retention period should be shredded (for paper) or destroyed (CD, tape, etc.) so that data on the media cannot be recovered or reconstructed. Data reach the retention period shall be deleted and unrecoverable (e.g. eraser, zero-fill, etc.). Ask IT Support to secure delete if you don’t make sure the data is totally wiped.
Internal Physical media exceeded the retention period should be shredded (for paper) or destroyed (CD, tape, etc.) so that data on the media cannot be recovered or reconstructed. Data reach the retention period shall be deleted and unrecoverable (e.g. eraser, zero-fill, etc.).
Public No protection requirements. Recycle where possible No protection requirements. Recycle where possible
Retrieved from "http://wiki.officience.com/index.php?title=Information_Classification&oldid=1047"