Scribd
Upload
50 views

Data Classification & Standards Policy

This document outlines a data classification policy for an organization. It defines four categories of data from public to client confidential with increasing levels of sensitivity and required protection. The policy assigns responsibility for classification and requires all employees to comply.

Uploaded by

An Nguyen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

Data Classification & Standards Policy

This document outlines a data classification policy for an organization. It defines four categories of data from public to client confidential with increasing levels of sensitivity and required protection. The policy assigns responsibility for classification and requires all employees to comply.

Uploaded by

An Nguyen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Invisible Technologies Data Classification & Standards Policy

In order to effectively secure Invisible Technologies’ data, team members must have a shared vocabulary
to describe the data and the corresponding protection it requires. This policy describes how company data
is classified and the levels of protection required for each classification.

Data Classification Standards

All Invisible Technologies information and all information entrusted to Invisible Technologies from third
parties falls into one of four classifications, in order of increasing sensitivity.

Category Description Examples

Public Public information is not • Press releases


confidential and can be made • Public website
public without any implications
for Invisible Technologies.

Internal Access to internal information is • Internal memos


approved by management and • Design documents
is protected from external • Product specifications
access. • Correspondences

Company Confidential Information collected and used • Legal documents


by Invisible Technologies to • Contractual agreements
operate the business. Invisible • Team member PII
Technologies must uphold the • Team member salaries
highest possible levels of
integrity, confidentiality, and
restricted availability for this
information.

Client Confidential Information received from clients • Client operating data


for processing or storage by • Client PII
Invisible Technologies. Invisible • Clients’ customers’ PII
Technologies must uphold the • Anything subject to a
highest possible levels of confidentiality agreement with a
integrity, confidentiality, and client
restricted availability for this
information.

Public

Public data is information that may be disclosed to any person regardless of their affiliation with Invisible
Technologies. The “public” classification is not limited to data that is of public interest or intended to be
distributed to the public; the classification applies to any data that does not require any level of protection
from disclosure.

While it might be necessary to protect original (source) documents from unauthorized modification, public
data may be shared with a broad audience both within and outside Invisible Technologies, and no steps
need be taken to prevent its distribution.

Internal

Internal data is information that is potentially sensitive and should not be shared with the public. Internal
data generally should not be disclosed outside of Invisible Technologies without the permission of Invisible
Technologies management. It is the responsibility of the data owner to designate information as internal
where appropriate.

Unauthorized access has the potential to influence Invisible Technologies’s operational effectiveness,
cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in client
confidence.

Company Confidential

Company confidential data is information that, if made available to unauthorized parties, might adversely
affect Invisible Technologies. This information is to be protected against unauthorized disclosure or
modification, and might be limited to executives, HR, and legal parties employed by or under contract with
Invisible Technologies. Company confidential data should be used only by pre-authorized parties and
should be protected both when it is in use and when it is being stored, processed, or transmitted.

Unauthorized access has the potential to influence Invisible Technologies’ operational effectiveness,
violate contractual confidentiality agreements, initiate a security incident, or cause a major drop in team
member, client, and industry confidence.

Client Confidential

Client confidential data is information that, if made available to unauthorized parties, may adversely affect
Invisible Technologies’ clients. This classification also includes data that Invisible Technologies is required
to keep confidential, either by law or under a confidentiality agreement with non-client third parties, such as
vendors. This information is to be protected against unauthorized disclosure or modification. Client
confidential data should be used only when necessary for business purposes with the permission of the
client and should be protected both when it is in use and when it is being stored, processed, or transmitted.

Unauthorized access has the potential to influence Invisible Technologies’ operational effectiveness,
violate contractual confidentiality agreements, initiate a security incident, or cause a major drop in both
client and industry confidence.

Scope

This data classification standard and policy is to be applied to all Invisible Technologies data, both physical
and electronic. No data item is too small to be classified.

Policy

• Invisible Technologies managers or information owners shall be responsible for assigning classifications
to information assets according to Invisible Technologies Data Classification Standards
• Whenever possible, clearly label each piece of information with its data classification
• All Invisible Technologies team members shall be guided by the information category in their handling of
all Invisible Technologies information

Non-Compliance
Since classifying data is an important part of protecting data and systems for Invisible Technologies, team
members who purposely violate this policy are subject to disciplinary action up to and including denial of
access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to
report it to their supervisor or other authorized representative.

Responsibility

The Security Team is responsible for communicating and upholding the Data Classification Policy and
Standards.

All team members are responsible for following the Data Classification Policy and Standards.

You might also like