Data Classification Policy

Modified on Fri, 8 Nov at 2:07 PM

Purpose and Scope

This data classification policy defines the requirements to ensure that information within Personal Audit Systems Ltd (PAS) is protected at an appropriate level.

This document applies to the entire scope of PAS’s information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.

This policy applies to all individuals and systems that have access to information kept by PAS.


Background

This policy defines the high-level objectives and implementation instructions for PAS’s data classification scheme. This includes data classification levels, as well as procedures for the classification, labelling and handling of data within PAS. Confidentiality and non-disclosure agreements maintained by PAS must reference this policy.


Policy

  1. If classified information is received from outside PAS, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
  2. If classified information is received from outside PAS and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
  3. When classifying information, the level of confidentiality is determined by:
    • The value of the information based on impacts identified during the risk assessment process.   
    • Sensitivity and criticality of the information based on the highest risk calculated for each information item during the risk assessment.
    • Legal, regulatory, and contractual obligations.
    • Information must be classified based on confidentiality levels as defined in Table 1.
    • Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.
    • Information classified as ‘Restricted’ or ‘Confidential’ must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.
    • Information classified as ‘Internal Use’ must be accompanied by a list of authorized persons only if individuals outside PAS will have access to the document.
    • Information and information system owners must review the confidentiality level of their information assets every five years and assess whether the confidentiality level should be changed. Wherever possible, confidentiality levels should be lowered.
  4. For cloud-based software services provided to customers, system owners under PAS’s control must also review the confidentiality level of their information systems after service agreement changes or after a customer’s formal notification. Where allowed by service agreements, confidentiality levels should be lowered. Customer information stored on our servers is classed at ‘Confidential – see Table 1.
  5. Information must be labelled according to the following:
    • Paper documents: the confidentiality level is indicated on the bottom of each document page; it is also indicated on the front of the cover or envelope carrying such a document as well as on the filing folder in which the document is stored. If a document is not labelled, its default classification is Internal Use.
    • Electronic documents: the confidentiality level is indicated on the bottom of each document page. If a document is not labelled, its default classification is Internal Use.
    • Information systems: the confidentiality level in applications and databases must be indicated on the system access screen, as well as on the screen when displaying such information.
    • Electronic mail: the confidentiality level is indicated in the first line of the email body. If it is not labelled, its default classification is ‘Internal Use’.
    • Electronic storage media (disks, memory cards, etc.): the confidentiality level must be indicated on the top surface of the media. If it is not labelled, its default classification is ‘Internal Use’.
    • Information transmitted orally: the confidentiality level should be mentioned before discussing information during face-to-face communication, by telephone, or any other means of oral communication.
  6. All persons accessing classified information must follow the guidelines listed in Appendix A, ‘Handling of Classified Information.’
  7. All persons accessing classified information must complete and submit a Confidentiality Statement to their immediate manager or Managing Director.
  8. Incidents related to the improper handling of classified information must be reported in accordance with the Incident Handling and Data Breach policy.

                 

Confidentiality Level 

Label 

Classification Criteria 

Access Restrictions 

Public 

For Public Release 

Making the information public will not harm PAS Ltd in any way. 

Information is available to the public. 

Internal Use 

Internal Use 

Unauthorized access may cause minor damage and/or inconvenience to PAS Ltd. 

Information is available to all employees and authorized third parties. 

Restricted 

Restricted 

Unauthorized access to information may cause considerable damage to the business and/or PAS Ltd’s reputation. 

Information is available 

to a specific group of employees and authorized third parties. 

Confidential 

Confidential 

Unauthorized access to information may cause catastrophic damage to business and/or PAS Ltd’s reputation. 

Information is available only to specific individuals in PAS. 

Table 1: Information Confidentiality Levels


Appendix A: Handling of Classified Information

Information and information systems must be handled according to the following guidelines*:


Paper Documents

  1. Internal Use
    1. Only authorized persons may have access.
    2. If sent outside PAS, the document must be sent as ‘signed for’. 
    3. Documents may only be kept in rooms without public access.
    4. Documents must be removed immediately from printers and fax machines.
  2. Restricted
    1. The document must be stored in a locked cabinet.
    2. Documents may be transferred within and outside PAS only in a closed envelope.
    3. If sent outside PAS, the document must be mailed ‘signed for’.
    4. Documents must immediately be removed from printers and fax machines.
    5. Only the document owner may copy the document.
    6. Only the document owner may destroy/shred the document.
  3. Confidential
    1. The document must be stored in a safe.
    2. The document may be transferred within and outside PAS only by a trustworthy person in a closed and sealed envelope.
    3. Faxing the document is not permitted.
    4. The document may be printed only if the authorized person is standing next to the printer.


Electronic Documents

  1. Internal Use
    1. Only authorized persons may have access.
    2. When documents are exchanged via unencrypted file sharing services, they must be password protected.
    3. Access to the information system where the document is stored must be protected by a strong password.
    4. The screen on which the document is displayed must be automatically locked after 15 minutes of inactivity.
  2. Restricted
    1. Only persons with authorization for this document may access the part of the information system where this document is stored.
    2. When documents are exchanged via file sharing services of any type, they should be encrypted.
    3. Only the document owner may erase the document.
  3. Confidential
    1. The document must be stored in encrypted form.
    2. The document may be stored only on servers which are controlled by PAS.
    3. The document may only be shared via file sharing services that are encrypted such as HTTPS and SSH. Further, the document must be encrypted and protected with a strong password when transferred.


Information Systems

  1. Internal Use
    1. Only authorized persons may have access.
    2. Access to the information system must be protected by a strong password.
    3. The screen must be automatically locked after 15 minutes of inactivity.
    4. The information system may be only located in rooms with controlled physical access.
  2. Restricted
    1. Users must log out of the information system if they have temporarily or permanently left the workplace.
    2. Data must be erased only with an algorithm that ensures secure deletion.
  3. Confidential
    1. Access to the information system must be controlled via clearance with the Managing Director
    2. The information system may only be installed on servers controlled by PAS.
    3. The information system may only reside in locations with controlled physical access and identity control of people accessing the room.


Electronic Mail

  1. Internal Use
    1. Only authorized persons may have access.
    2. The sender must carefully check the recipient.
    3. All rules stated under ‘information systems’ apply.
  2. Restricted
    1. Email must be encrypted (TLS) if sent outside PAS.
  3. Confidential
    1. Email must be encrypted.


Electronic Storage Media

  1. Internal Use
    1. Only authorized persons may have access.
    2. Media or files must be password protected.
    3. If sent outside PAS, the medium must be sent as registered mail.
    4. The medium may only be kept in rooms with controlled physical access.
  2. Restricted
    1. Media and files must be encrypted.
    2. Media must be stored in a locked cabinet.
    3. If sent outside PAS, the medium must be mailed with a return receipt service.
    4. Only the medium owner may erase or destroy the medium.
  3. Confidential
    1. Media must be stored in a safe.
    2. Media may be transferred within and outside PAS only by a trustworthy person and in a closed and sealed envelope.


Information Transmitted Orally

  1. Internal Use
    1. Only authorized persons may have access to information.
    2. Unauthorized persons must not be present in the room when the information is communicated.
  2. Restricted
    1. The room must be protected from sound leakage
    2. The conversation must not be recorded.
  3. Confidential
    1. No transcript of the conversation may be kept.


Please note: In this document, controls are implemented cumulatively, meaning that controls for any confidentiality level imply the implementation of controls defined for lower confidentiality levels - if more strict controls are prescribed for a higher confidentiality level, then only such controls are implemented.

 

 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article