Data Classification Policy Template

Data Classification Policy Template

Posted by Peter Bassill on 05/01/2021


STATEMENT
The aim of this Policy is to enable the business to operate effectively and efficiently, to comply with legislation, regulations, information standards (ISO/IEC27001, PCI-DSS, CE & CE Plus) and good practice, and to safeguard information and data against potential loss by theft, malicious or accidental damage, or breach of privacy or confidentiality.
PURPOSE
The purpose of this policy is to define data classification schema within {company_name}. {company_name} provides fast, efficient and cost effective information security and penetration testing services. It is critical for {company_name} to set the standard for the protection of information assets from unauthorised access and compromise or disclosure. {company_name} has adopted this data classification policy to help manage and protect its information assets.
All {company_name} staff share in the responsibility for ensuring that {company_name} information assets receive an appropriate level of protection by observing this Information Classification policy:

Company Managers or information ‘owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system presented below. (‘Owners” have approved management responsibility. ‘Owners’ do not have property rights.)
Where practicable, the information category shall be embedded in the information itself.
All {company_name} staff shall be guided by the information category in their security-related handling of Company information.
All Company information and all information entrusted to Company from third parties falls into one of four classifications in the table below, presented in order of increasing sensitivity

SCOPE
This policy covers all information assessments present at {company_name}.
POLICY
Unclassified/Public/None
Information is not confidential and can be made public without any implications for {company_name}. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital. Documents in the public domain available from our website, our support desk and our social media channels. Examples include:

Product brochures widely distributed
Information widely available in the public domain, including publicly available Company web site areas
Sample downloads of Company software that is for sale
Financial reports required by regulatory authorities
Newsletters for external transmission

Internal Use {replace_with_your_term}
Information is not confidential and but should not be made public. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.
Documents in the public domain available from our website, our support desk and our social media channels. Examples include:

Internal control documents

Client Confidential {replace_with_your_term}
Information received from clients in any form for processing in production by {company_name}. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.
Client data:

All customer data including sales, testing, consultative and accounts data and accounts and account management
All back office support data on client calls and any specific communication to clients

Confidential {replace_with_your_term}
Information collected and used by {company_name} in the conduct of its business to employ people, to log and fulfil client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

Salaries and other personnel data
Accounting data and internal financial reports • Confidential customer business data and confidential contracts
Non-disclosure agreements with clients/vendors
Company business plans

COMPLIANCE
Compliance Measurement
The {company_name} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exceptions to the policy must be approved by the CEO in advance.
Non-Compliance                                                                             
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
                                                                                                         

Download the Template Policy




Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com