Information Classification Guide

Information classification will be used within xxxx to establish consistent access, modification, and data usage security controls. This standard defines classification levels (categories) and provides classification guidelines for all information, including information residing on computer files and documents generated from automated data as well as manual documents. It is each department’s responsibility to maintain appropriate security levels.

Category Definition:

Information may be categorized as:

·  Highly Sensitive

·  Sensitive

·  Company Sensitive

·  Public???

The following definitions and procedures have been established to provide all employees with uniform rules to access and handle corporate information. Once classified by a owner at a specific level, information is not to be reclassified to a lower level regardless of how it may be summarized or manipulated.

Highly Sensitive:

Information is considered highly sensitive if untimely disclosure could prevent reaching a major business objective, result in substantial financial loss, benefit a competitor, or harm the Corporate image. Examples of highly sensitive information might include customer credit information, business plans, marketing strategies, etc..

Highly sensitive information may not be accessed, copied, or communicated to others without the approvals of the owner, appropriate officer, or department head. Distribution or communication outside the Company is prohibited without appropriate officer or department head approval. Access shall be specifically defined by the owner on a nee-to-know basis. Owners of highly sensitive information will account for all documents distributed and will monitor all computer data accesses.

Documents containing highly sensitive information must be marked “Highly Sensitive” and are to be secured when not being used. Owners of this information must assure that documents and computer files are properly destroyed when they are no longer needed. Highly sensitive documents will be destroyed (shred) by the owner when no longer needed. Using an outside vendor for document destruction is not authorized.

Sensitive:

Information is considered sensitive if disclosure could reduce a competitive advantage, disrupt normal business processing, or generate customer or employee ill will.

Sensitive information is to be handled similar to highly sensitive information, however, sensitive information with proper management and information owner authorization may be sent outside the company (ie: to government agencies). Sensitive information must not be distributed or accessed without the information owner’s approval. Access may be defined by user or group. Distribution of sensitive documents will be reviewed annually. All computer data accesses will be monitored by the owner. All documents containing sensitive information will be marked “Sensitive” and are to be secured during non business hours. Information users will see that sensitive information is destroyed when no longer needed. The nature of these items may require that they be destroyed before leaving a department or the company.

Company Sensitive:

All information sources that are not identified as highly sensitive or sensitive are considered company sensitive. Documents generated from this category do not require special marking. However, this information is still proprietary and is restricted for use within the company on a need to know basis. Unmarked documents default to “company sensitive” status and may be treated as such unless the user knows the report should be secured at a higher level.

Company sensitive information may be distributed within the company with justification and information owner notification, however, distribution of information outside the company will require the information owner’s approval. Computer files may be allowed read access universally, only when a need is exhibited. Access violations will be monitored. Existing building security is adequate for protecting company sensitive documents.

Document Destruction:

Information Classification Guidelines: