« Back to DataSecurityPolicies.com

Archive for the 'Data Classification Policy' Category



Information Security Classification Policy

There’s a helpful draft Information Security Classification Policy from Rutgers University here.

They define three classification levels. Here’s an excerpt:

Restricted Data

Restricted data is the most sensitive information and requires the highest level of protection. This information is usually described as “non-public information” about people and under the purview of a Data Custodian. Restricted data also includes data that Rutgers is required to protect under regulatory or legal requirements. Examples include student or employee identifiable information (i.e., Social Security Number, birth date, driver’s license number, etc.), financial records, medical records, legal records, student records, police records, and credit card information. Unauthorized disclosure of restricted information could result in adverse legal, financial or reputational impact upon the University.

Sensitive Data

Sensitive data is information that business units may decide to share with other units outside their administrative control for the purpose of collaboration. This information is not information that meets the requirements of “non-pubic” information. Examples include data created by the department, research data, and project data. Loss of this information could cause harm to the University’s image or reputation, but would not necessarily violate existing laws or regulations.

Public Data

Most Rutgers information falls into this classification under the “New Jersey Right to Know” law, is suitable for public dissemination and is accessible to anyone in the world. Examples include public web pages, course listings, press releases, marketing brochures, etc. While the requirements for protection of public data are less than that of Restricted and Sensitive, sufficient controls must be maintained to protect unauthorized modification of data.

Check it out!

November 14th, 2007 | Posted in Data Classification Policy, Security Policies | No Comments

Data Classification Policy Template

The Hawaii Health Information Corporation has a good data classification policy template here.

A very helpful part of this template is the classification labels section. Here’s an excerpt:

CLASSIFICATION LABELS

Public: This classification applies to information that is available to the general public and intended for distribution outside the organizations. This information may be freely disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases.

For Internal Use Only: This classification applies to all other information that does not clearly fit into the other classifications. The unauthorized disclosure, modification or destruction of this information is not expected to seriously or adversely impact the organization, its patients, its employees, or its business partners. Examples include the company telephone directory, new employee training materials, and internal policy manuals.

Confidential: This classification applies to information that is intended for use within the organization. Its unauthorized disclosure could adversely impact the organization, its patients, its employees and its business partners. Information that some people would consider private is included in this classification. Examples include medical information (except that which is restricted confidential), patient medical charts, appointment schedules, patient account records, department financial data, purchasing information, vendor contracts.

Restricted Confidential: This classification applies to the most sensitive medical and business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its patients, its employees and its business partners. For example, statutorily protected medical information such as, mental health treatment, HIV testing, sexually transmitted diseases, abortion, and alcoholism or substance abuse treatment data. Other examples are merger and acquisition documents, corporate level strategic plans, and litigation strategy memos.

An archive of the template is here: Data Classification Policy Template

Check it out!

November 1st, 2007 | Posted in Data Classification Policy, Security Policies | No Comments

Data Classification Matrix

Total Enterprise Security Solutions has a great data classification matrix here.

This matrix would make a good appendix to your Data Classification Policy.

It categorizes data into non-sensitive (non-controlled and controlled) and sensitive (critical information and restricted information). It also has examples and criteria for each category plus ten handling standards:

  • Release to Third Parties Standards
  • Transmission by Post, Fax and E-mail Standards
  • Transmission by Spoken Word Standards
  • Print, Film, Fiche, Video Standards
  • Copying Standards
  • Storage Standards
  • Destruction Standards
  • Physical Security Standards
  • Access Control Standards
  • Audit Standards

An archive of the data classification matrix is here: Data Classification Matrix

Very useful info–check it out!

October 31st, 2007 | Posted in Data Classification Policy, Security Policies | No Comments

Sample Data Classification Policy

The Hawaii Health Information Corporation has a sample data classification policy here.

Here’s an excerpt:

A. [COMPANY]’s data classification system has been designed to support the “need to know” principle so that information may be protected from unauthorized disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and help keep the costs for information security to a minimum. Without the consistent use of this data classification system, [COMPANY] unduly risks loss of customer relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage.

B. This data classification policy is applicable to all information in the [COMPANY]’s possession. Example information such as medical records on patients, confidential information from suppliers, business partners and others are protected under this data classification policy. No distinctions between the word “data”, “information”, “knowledge,” and “wisdom” are made for purposes of this policy.

An archive of the file can be found here: Sample Data Classification Policy

Very useful sample–check it out!

October 30th, 2007 | Posted in Data Classification Policy, Security Policies | No Comments

Data Classification Policy

There’s a useful example of a Data Classification Policy from George Washington University here.

They only have three categories of information and responsibility for implementing the policy is delegated to the departments of the University. Here’s an exerpt:

Data owned, used, created or maintained by the University is classified into the following three categories:

  • Public
  • Official Use Only
  • Confidential

Departments should carefully evaluate the appropriate data classification category for their information.

When provided in this policy, examples are illustrative only, and serve as identification of implementation practices rather than specific requirements. Nothing in this policy is intended to identify a restriction on the right of departments to require policies and/or procedures in addition to the ones identified in this document.

An archived copy of the policy is here.

September 17th, 2007 | Posted in Data Classification Policy, Security Policies | No Comments