Breezy HR Security Documentation

At Breezy HR, we’re committed to information security and privacy.

Information Classification & Handling Policy (A.8.2)

Information Classifications

A method for classifying information resources is essential in order to determine appropriate controls based on the relative business value or sensitivity to disclosure of those assets. The information classification assists in determining how the information will be handled and protected during storage, transmission, use, when shared or disposed of, both print and electronically stored, based on the sensitivity of the data.

Breezy provides and maintains its information technology resources for the primary purpose of conducting Breezy business. These systems are to be used in a professional, responsible, ethical, and legal manner at all times. All information stored, transmitted, used, shared or disposed of is the property of Breezy and does not belong to the individual using the data. Information classification provides a common understanding of the level of protection a specific information resource requires. This policy extends to third-party information retained or handled during Breezy business operations. Improper handling of information can result in serious financial loss, compromise of employee or business partner data, or loss of public trust.

By default, all unmarked or unclassified information should be considered as “Internal Use Only” until the owner of the information determines further classification.

Open

Information marked as OPEN should have no serious or detrimental effect on an organization in the event of its unauthorized or accidental disclosure or its loss. Consider whether you are comfortable with all of your personnel, your clients and your competitors seeing this information before using this classification.

Examples of information which may be classified as OPEN include, but are not limited to: press releases, white papers and research documents, certain policies and processes, and any other information openly shared with all employees, clients and competitors.

Information within this category is unlikely to require encryption, due to its nature, and therefore will not be subject to the Breezy Cryptographic Control Policy.

Sensitive

Information marked as SENSITIVE should be restricted to personnel within the organization itself, and trusted external individuals or organizations. Typically the external elements should be under a contractual obligation of Non-Disclosure Agreement (NDA) to protect this information type, and understand how it is to be protected.

Examples of information classified as SENSITIVE include, but are not limited to: service reports, performance data, certain contractual agreement, most policies and processes, company strategies and plans, details of forthcoming changes to products and services, and any other information which should not be shared with the entire client base or a competitor.

Information within this category may require encryption, dependent on the information in the Information Classification and Handling Policy, and therefore may be subject to the Breezy Cryptographic Control Policy.

Confidential

Information marked as CONFIDENTIAL should be restricted to personnel within the organization or the owners of the information. Personnel will need specific training and contractual clauses in their employment terms and conditions to enforce non-disclosure of material outside of the organization.

Examples of information classified as CONFIDENTIAL include, but are not limited to financial budgets and reports, and any other information not readily shared with clients, suppliers or anyone else outside of the organization.

Information within this category requires encryption and is therefore subject to the Breezy Cryptographic Control Policy.

Secret

Information marked as SECRET should be restricted to personnel within the organization or the owners of the information. Any external recipient of secret information should be under a contractual obligation of a Non-Disclosure Agreement (NDA) to protect this information type, and understand how it is to be protected. Personnel will need specific training and contractual clauses in their employment terms and conditions to enforce non-disclosure of material outside of the contracted organizations.

Examples of information classified as SECRET include remuneration, payroll and benefits details, user personally identifiable information (PII) and records in Software as a Service (SaaS) and managed hosting products, and any other information not “common knowledge” amongst the workforce.

Information within this category requires encryption and is therefore subject to the Breezy Cryptographic Control Policy.

Principles of Data Access

Access should only be provided to those who have a legitimate and justified information access need. Even if an individual holds an appropriate security clearance, clearance alone does not give automatic access to information of a corresponding classification: the information asset owner needs to grant and remove access based upon validated requirements.

New employees will have only the most basic access to information and IT facilities, which can then be modified based upon their progression or increased responsibilities in their career. When an employee changes position or department their access rights will be reviewed and adjusted accordingly. Employees who leave the company will have all their access rights revoked immediately.

Further information is given in the Access Control Policy.

Information Handling

Data Storage and Classification

All critical business information and critical software on Breezy information resources must be periodically backed up. Business owners are responsible for identifying backup schedules and for determining the scope of information to be backed up. Users are not responsible for backing up their critical files and should rely on Infrastructure to back up their network home directories and all critical data files.

Retention of old, outdated, or incorrect information can cause business complications and confusion and places Breezy at risk for liabilities if the information is inadvertently disclosed. Therefore, Breezy employees should not retain data that is no longer relevant to Breezy business operations, unless retention is required for some other reason (such as financial information for audits).

For additional guidance on data storage, please refer to the Breezy HR Information Backup Policy.

You're in Good Company

Shipt Logo
Piksel LogoWaitr LogoDocebo LogoCameo Logo

Our customers love us, and it shows! According to Gartner we're the most highly rated HR and Applicant Tracking product in Customer Satisfaction.

Are you ready?

Start optimizing your recruiting process today.

Join the thousands of companies already hiring with Breezy HR.

Full Feature 14-Day Trial
No Credit Card Needed