Data Classification Policy
Purpose
The purpose of this document is to define the standards for classifying data based on its sensitivity, value, and criticality to the organization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. Information assets and systems are classified according to the risks associated with the data being stored or processed. High risk data needs the greatest amount of protection to prevent compromise while lower risk data can be given proportionately less protection. All organisational data should be classified into one of three classification tiers as described below.
Scope
This standard applies to all data generated, processed, stored, and transmitted by the organization.
Classification Levels
Confidential Data: This is the most sensitive category and includes data that must be protected at all costs, such as trade secrets, financial information, personally identifiable information (PII), and confidential business information.
Internal / Private Data: This category includes sensitive data but is not as critical as confidential data, such as employee payroll information, internal memos, and project plans.
Public Data: This category includes data that is not sensitive and can be freely shared with the public, such as company press releases and marketing materials.
Classification Criteria
Tier I - Confidential Data
Data is classified as Tier I - Confidential when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the Company, its users, or its partners. Examples of Confidential data include data protected by privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied.
Examples of Tier 1 data
Confidential data include financial data (credit card numbers, bank details, etc.), research data, and individuals’ sensitive information.
Examples of how data can be lost
Workstation with access to data and systems is compromised.
User account with access to data is compromised.
Unsecured network service or application is compromised and data stolen.
Mobile device such as a laptop or smartphone is lost or stolen.
Former employee accesses system because “shared” passwords were not changed.
Unauthorized visitor walks into an office or lab and steals equipment.
Unauthorized user accesses an non-secure computer.
Impact of Tier I Data Loss
- Long-term loss of reputation.
- Increase in regulatory requirements.
- Civil monetary penalties as well as imprisonment.
- Individuals put at risk for identity theft.
Tier II - Internal / Private Data
Data should be classified as Tier II - Internal/Private when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to the Company, its users, or its partners. By default, all information assets that are not explicitly classified as Confidential or Public data should be treated as Internal/Private data and a reasonable level of security controls should be applied.
Examples of Tier II data
Include official records such as financial reports, non-PII human resources information, some research data, and budget information.
Examples of how data can be lost
All of the examples detailing how Tier 1 data can be lost are applicable. Tier 2 data in some cases is also more susceptible to unauthorized disclosure as employees are more likely to release the data by mistake or due to being the victim of a social engineering attack.
Impact of Tier II Data Loss
- Short-term loss of reputation.
- Short-term loss of critical departmental service.
Tier III - Public Data
Data should be classified as Public when the unauthorized disclosure, alteration, or destruction of that data would results in little or no risk to the Company, its users, or its partners. While little or no controls are required to protect the confidentiality of Tier III - Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
Tier III - Public data is not considered sensitive however the integrity of Public data should be protected. The impact on the Company, should Tier III - Public data not be available is typically low (inconvenient but not debilitating).
Examples of how data can be lost
Most of the examples listed for Tier I data apply.
Impact of Tier III Data Loss
Loss of use of personal workstation or laptop.
Loss of personal data with no impact to the University.
Publicly accessible data could be inaccurate due to unauthorized modification.
Publicly accessible data could be modified to direct users towards malicious systems.
Funding of Tree Planting Projects
Customers understand that number of trees planted within subscription plans and in their account dashboard are based on actual historical operating costs of donating to the reforestation partner that plants trees for us. These costs are $0.25 per tree planted.
Data Handling
Records containing confidential information should exist only in areas where there is a legitimate and justifiable business need. Confidential information should be accessed from its original source whenever possible. Copies and printed versions of the information should be kept to a minimum.
Access
Access to Confidential data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the Company who require such access in order to perform their job (need to know basis). Access to Confidential data must be individually requested and then authorized by the Data Owner who is responsible for the data.
Access to Internal / Private data must be requested from, and authorized by, the Data Owner who is responsible for the data. Access to Internal / Private data may be authorized to groups of people by their job classification or responsibilities (role-based access), and may also be limited by one’s department.
Use, Transmission and Storage
The following controls are required when using, transmitting, or storing confidential information:
Do not discuss or display it in an environment where it may be viewed or overheard by unauthorized individuals.
Do not leave keys or access badges for rooms or file cabinets containing such information in areas accessible to unauthorized personnel.
When printing, photocopying, or faxing, ensure that only authorized personnel will be able to access the output. Sensitive information should not be transmitted to network-connected printing/scanning devices unless on a closed or securely encrypted network.
All confidential data must be stored only on centrally managed network storage devices. Confidential data cannot be stored on any local storage devices under any circumstances.
Proprietary research equipment or instruments that are unable to reasonably output data to the centrally managed network storage devices must have a periodic backup mechanism that copies the output data onto a centrally managed network storage device.
Store paper documents in a locked drawer and in a locked room or other secure location.
Confidential information may not be stored on any personal equipment. Additionally, users may not send or forward emails containing Tier I data to personal email accounts.
Properly identify such information as Confidential to all recipients by labeling it accordingly, providing training to personnel, explicitly mentioning the classification or similar means.
Encrypt sensitive information when (1) placing it on removable media; (2) placing it on a mobile computer (e.g. laptops, PDAs, smart phones); or (3) sending it via electronic mail.
Do not send sensitive information via instant message or unsecured file transfer.
Breach Disclosure of Sensitive Information
Please report any information security problems or potential problems immediately. Timely reporting will help determine if further investigation is necessary and can limit further damage or loss of data.
Consequences and Sanctions
Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other Company policies including progressive discipline up to and including termination of employment.
Review and Update
These standards will be reviewed every 6 months and will be updated based on the changing business needs and environment.
Approval
Any changes to this document will be reviewed and approved by Paul Dunca, COO.