×
Search
Purpose

The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization, so sensitive corporate and customer data can be secured appropriately.

Scope

This policy applies to any form of data, including paper documents and digital data stored on any type of media. It applies to all of the organization’s employees, as well as to third-party agents authorized to access the data.

Roles and Responsibilities
a) Data owner

The person who is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management. The data owner shall address the following:

  • Review and categorization: Review and categorize data and information collected by his or her department or division
  • Assignment of data classification labels: Assign data classification labels based on the
  • data’s potential impact level
  • Data compilation: Ensure that data compiled from multiple sources is classified with at least the most secure classification level of any individually classified data
  • Data classification coordination: Ensure that data shared between departments is
  • consistently classified and protected
  • Data classification compliance (in conjunction with data custodians): Ensure that information with high and moderate impact level is secured in accordance with federal or state regulations and guidelines
  • Data access (in conjunction with data custodians): Develop data access guidelines for each
  • data classification label
b) Data custodians

Technicians from the IT department or, in larger organizations, the Information Security office. Data custodians are responsible for maintaining and backing up the systems, databases and servers that store the organization’s data. In addition, this role is responsible for the technical deployment of all of the rules set forth by data owners and for ensuring that the rules applied within systems are working. Some specific data custodian responsibilities include:

  • Access control: Ensure that proper access controls are implemented, monitored and audited in accordance with the data classification labels assigned by the data owner
  • Audit reports: Submit an annual report to the data owners that addresses availability, integrity and confidentiality of classified data
  • Data backups: Perform regular backups of state data
  • Data validation: Periodically validate data integrity Data restoration — Restore data from backup media
  • Compliance: Fulfill the data requirements specified in the organization’s security policies, standards and guidelines pertaining to information security and data protection
  • Monitor activity: Monitor and record data activity, including information on who accessed what data
  • Secure storage: Encrypt sensitive data at rest while in storage; audit storage area network (‘SAN’) administrator activity and review access logs regularly
  • Data classification compliance (in conjunction with data owners): Ensure that information with high and moderate impact level is secured in accordance with federal or state regulations and guidelines
  • Data access (in conjunction with data owners): Develop data access guidelines for each data classification label


C) Data user

Person, organization or entity that interacts with, accesses, uses or updates data for the purpose of performing a task authorized by the data owner. Data users must use data in a manner consistent with the purpose intended and comply with this policy and all policies applicable to data use.

Data Classification Procedure

A. All data at Company shall be assigned one of the following classifications. Collections of diverse information should be classified as to the most secure classification level of an individual information component with the aggregated information.

  • Restricted: Data in any format collected, developed, maintained or managed by or on behalf of the Company, or within the scope of activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, driver licenses, export controlled technical data.
  • Sensitive: Data whose loss or unauthorized disclosure would impair the functions of the Company, cause significant financial or reputational loss or lead to likely legal liability. Examples include, but are not limited to, research work in progress, animal research protocols, financial information, strategy documents and information used to secure the Company’s physical or information environment.
  • Confidential: Information for which unwanted disclosure can have “minor” or “moderate” risk impact. The information can be valuable for competitors (e.g., controlling data, procurement and sales contracts, source code of software developed by Company or design documents).
  • Internal: Corporate proprietary information, for which unwanted disclosure can have only "marginal" risk impact. This information may be accessible for a large circle of employees on need to-know basis, but not for people outside the company (e.g., organizational plans, internal telephone directories, internal guidelines, test reports).
  • Public/Open: Data that does not fall into any of the other information classifications. This data may be made generally available without specific information owner’s designee or delegate approval. This kind of information includes corporate information, which is intended for public use or where disclosure has no negative impact (e.g., press releases, job postings and advertising material). It is either labelled as “Unrestricted” or immediately identifiable as for public-use information (e.g., an internet web site).

B. Data owners review each piece of data they are responsible for and determine its overall impact level, as follows:

  • If it matches any of the predefined types of restricted/ sensitive information listed in Appendix A, the data owner assigns it an overall impact level of “High.”
  • If it does not match any of the predefined types in Appendix A, the data owner should determine its information type and impact levels based on the guidance provided in Sections 5 of this policy. The highest of the three impact levels is the overall impact level.
  • If the information type and overall impact level still cannot be determined, the data
  • owner must work with the data custodians to resolve the question.

C. The data owner assigns each piece of data a classification label based on the overall impact level:

Overall Impact Level Classification Label
High Restricted/ Sensitive
Moderate Confidential/ Internal
Low Public

D. The data owner records the classification label and overall impact level for each piece of data in the official data classification table.

E. Data custodians apply appropriate security controls to protect each piece of data according to the classification label and overall impact level recorded in the official data classification table.

Impact Level Guideline

Users shall refer the below table to assess the potential impact to the company of a loss of the confidentiality, integrity or availability of any data asset.

Security Objective Potential Impact
Low Moderate High
High Restricted/ Sensitive High Restricted/ Sensitive
Moderate Confidential/ Internal Moderate Confidential/ Internal
Low Public Low Public
Applicability

This policy applies to all organizational functions, business associates (or affiliates), employees, consultants, subcontractors and third-party personnel who are involved in data classification and protection process. The policy will only apply to data stored within Company environment.

Inclusions & Exclusions

This policy applies to all regions of Company.

Company Responsibilities
  • The Chief Information Officer (‘CIO’) is responsible to review and approve the policy and to ensure that it reflects the current requirements of Company Business Services.
  • Risk & Compliance Head is responsible for development, implementation, maintenance and enforcement of the policy.
  • The Internal Audit Team is responsible for conducting regular audits to ensure compliance to this policy.
  • Employees and non-employees of Company are responsible and/or accountable to ensure adherence to the terms of this policy in the course of their job duties.


Enforcement

A. Policy Violations: Violation of the policy will result in corrective action from the management. Disciplinary action will be consistent with the severity of the incident, as determined by the investigation, and may include, but not limited to:

  • Loss of access privileges to information assets
  • Termination of employment or contract
  • Other actions deemed appropriate by management, HR team, Legal team and their relevant policies.
  • Violation or deviate on of the policy shall be reported to the CIO/ CISO and a security incident record has to be created for the further investigation of the incident.

B. Enforcement: Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

C. Policy Exceptions: Any exceptions to this policy have to be formally approved by the CIO/CISO.

Appendix 

Appendix A
Types of Information that Must be Classified as “Restricted/ Sensitive”

A. Authentication Information: Data used to prove the identity of an individual, system or service. Examples include the following:

  • Passwords
  • Cryptographic private keys
  • Shared secrets
  • Hash tables

B. Electronic Protected Health Information (‘ePHI’): Any protected health information (‘PHI’) that is stored in or transmitted by electronic media. Electronic media includes computer hard drives as well as removable or transportable media, such as a magnetic tape or disk, optical disk, or digital memory card.

Transmission is the movement or exchange of information in electronic form. Transmission media includes the internet, an extranet, leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media.

C. Payment Card Information (‘PCI’): It is defined as a credit card number in combination with one or more of the following data elements:

  • Cardholder name
  • CVC2, CVV2 or CID value
  • Service code
  • PIN or PIN block
  • Expiration date
  • Contents of a magnetic stripe

D. Personally Identifiable Information (‘PII’): Any information that can be used to distinguish or trace an individual's identity. It can be defined as a person’s first name or first initial and last name in combination with one or more of the following data elements (the list is not exhaustive and may include more elements):

  • Social Security Number (‘SSN’)
  • Financial account number in combination with a security code, access code or password that would permit access to the account
  • State-issued driver’s license number
  • State-issued identification card number
  • Medical and/or health insurance information