Information Classification & Handling Policy (A.8.2)

Information Classifications

A method for classifying information resources is essential in order to determine appropriate controls based on the relative business value or sensitivity to disclosure of those assets. The information classification assists in determining how the information will be handled and protected during storage, transmission, use, when shared or disposed of, both print and electronically stored, based on the sensitivity of the data.

Breezy provides and maintains its information technology resources for the primary purpose of conducting Breezy business. These systems are to be used in a professional, responsible, ethical, and legal manner at all times. All information stored, transmitted, used, shared or disposed of is the property of Breezy and does not belong to the individual using the data. Information classification provides a common understanding of the level of protection a specific information resource requires. This policy extends to third-party information retained or handled during Breezy business operations. Improper handling of information can result in serious financial loss, compromise of employee or business partner data, or loss of public trust.

By default, all unmarked or unclassified information should be considered as “Internal Use Only” until the owner of the information determines further classification.

Open

Information marked as OPEN should have no serious or detrimental effect on an organization in the event of its unauthorized or accidental disclosure or its loss. Consider whether you are comfortable with all of your personnel, your clients and your competitors seeing this information before using this classification.

Examples of information which may be classified as OPEN include, but are not limited to: press releases, white papers and research documents, certain policies and processes, and any other information openly shared with all employees, clients and competitors.

Information within this category is unlikely to require encryption, due to its nature, and therefore will not be subject to the Breezy Cryptographic Control Policy.

Sensitive

Information marked as SENSITIVE should be restricted to personnel within the organization itself, and trusted external individuals or organizations. Typically the external elements should be under a contractual obligation of Non-Disclosure Agreement (NDA) to protect this information type, and understand how it is to be protected.

Examples of information classified as SENSITIVE include, but are not limited to: service reports, performance data, certain contractual agreement, most policies and processes, company strategies and plans, details of forthcoming changes to products and services, and any other information which should not be shared with the entire client base or a competitor.

Information within this category may require encryption, dependent on the information in the Information Classification and Handling Policy, and therefore may be subject to the Breezy Cryptographic Control Policy.

Confidential

Information marked as CONFIDENTIAL should be restricted to personnel within the organization or the owners of the information. Personnel will need specific training and contractual clauses in their employment terms and conditions to enforce non-disclosure of material outside of the organization.

Examples of information classified as CONFIDENTIAL include, but are not limited to financial budgets and reports, and any other information not readily shared with clients, suppliers or anyone else outside of the organization.

Information within this category requires encryption and is therefore subject to the Breezy Cryptographic Control Policy.

Secret

Information marked as SECRET should be restricted to personnel within the organization or the owners of the information. Any external recipient of secret information should be under a contractual obligation of a Non-Disclosure Agreement (NDA) to protect this information type, and understand how it is to be protected. Personnel will need specific training and contractual clauses in their employment terms and conditions to enforce non-disclosure of material outside of the contracted organizations.

Examples of information classified as SECRET include remuneration, payroll and benefits details, user personally identifiable information (PII) and records in Software as a Service (SaaS) and managed hosting products, and any other information not “common knowledge” amongst the workforce.

Information within this category requires encryption and is therefore subject to the Breezy Cryptographic Control Policy.

Principles of Data Access

Access should only be provided to those who have a legitimate and justified information access need. Even if an individual holds an appropriate security clearance, clearance alone does not give automatic access to information of a corresponding classification: the information asset owner needs to grant and remove access based upon validated requirements.

New employees will have only the most basic access to information and IT facilities, which can then be modified based upon their progression or increased responsibilities in their career. When an employee changes position or department their access rights will be reviewed and adjusted accordingly. Employees who leave the company will have all their access rights revoked immediately.

Further information is given in the Access Control Policy.

Information Handling

Open

Sensitive

Confidential

Secret

Labeling of Printed Docs

Mandatory, at the top of the page. Pages to be numbered with total page count.

Mandatory, at the top of the page. Pages to be numbered with total page count.

Mandatory, at the top of the page. Pages to be numbered with total page count.

Mandatory, at the top of the page. Pages to be numbered with total page count.

Photocopying

No restrictions

With care, collect promptly

With care, collect promptly

With care, collect promptly

Transmission by Fax

Ensure fax confirmation is obtained

Contact recipient to confirm receipt

Prohibited

Prohibited

Sending by Post or Courier

No restrictions

Single envelope, marked with recipient’s details

Signed-for service only. Double envelope, inner one marked appropriately.

Signed-for service only. Double envelope, inner one marked. Check for signs of tampering.

Transmitting by Email

No restrictions

NDA for external: consider encryption

NDA for external: preference for encryption

NDA for external: compulsory encryption

Transmitting Over the Internet

No restrictions

NDA for external: consider encryption

NDA for external: preference for encryption

NDA for external: compulsory encryption

Access on Mobile Devices in Public Places

Care to avoid possible eavesdropping

Not recommend, avoid if possible

Prohibited

Prohibited

Information when Traveling

Care should be taken

Care should be taken - documents and equipment not to be unattended

Extra care should be taken. Carry on person; only leave data in properly secured storage.

Extra care should be taken. Carry on person; only leave data in properly secured storage.

Printing of Information

No restrictions

With care, collect promptly

With care, and only to printer in immediate vicinity

With care, and only to printer in immediate vicinity

Storage of Info in Printed Form

No restrictions

Dependent on specific content

Locked drawer, filing cabinet, or safe

Locked drawer, filing cabinet, or safe

Disposal of Info in Printed Form

Recycling

Shredding

Shredding (cross-cut)

Shredding (cross-cut)

Reporting Loss, Theft, or Compromise

Not required

Raise an Information Security Incident

Raise an Information Security Incident

Raise an Information Security Incident

Disposal, Recycling, and Reuse of Magnetic or Flash Storage

Delete all data

Use a DOE compliant 3 pass (or higher) deletion method in MacOS Disk Utility prior to disposal, recycling, or reuse.

Use a DOE compliant 3 pass (or higher) deletion method in MacOS Disk Utility prior to disposal, recycling, or reuse.

Use a DOE compliant 3 pass (or higher) deletion method in MacOS Disk Utility prior to disposal, recycling, or reuse.

Data Storage and Classification

All critical business information and critical software on Breezy information resources must be periodically backed up. Business owners are responsible for identifying backup schedules and for determining the scope of information to be backed up. Users are not responsible for backing up their critical files and should rely on Infrastructure to back up their network home directories and all critical data files.

Retention of old, outdated, or incorrect information can cause business complications and confusion and places Breezy at risk for liabilities if the information is inadvertently disclosed. Therefore, Breezy employees should not retain data that is no longer relevant to Breezy business operations, unless retention is required for some other reason (such as financial information for audits).

For additional guidance on data storage, please refer to the Breezy HR Information Backup Policy.