1
0
mirror of https://github.com/strongdm/comply synced 2024-11-14 20:04:53 +00:00
comply/example/policies/classification.md
2018-05-09 18:02:33 -07:00

2.3 KiB
Raw Blame History

name: Data Classification Policy acronym: DCP satisfies: TSC: - CC9.9 majorRevisions:

  • date: Jun 1 2018 comment: Initial document

Background

This policy defines the high level objectives and implementation instructions for the organizations data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within the organization. Confidentiality and non-disclosure agreements maintained by the organization must reference this policy.

Purpose and Scope

  • This data classification policy defines the requirements to ensure that information within the organization is protected at an appropriate level.

  • This document applies to the entire scope of the organizations information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.

  • This policy applies to all individuals and systems that have access to information kept by the organization.

References

  • Risk Assessment Policy
  • Security Incident Management Policy

Policy

  • If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.

  • If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.

  • When classifying information, the level of confidentiality is determined by:

    • The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (reference (a)).
    • Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
    • Legal, regulatory and contractual obligations.
  • Information must be classified based on confidentiality levels as defined in Table 1.