This policy will assist employees and other third-parties with understanding the Company’s information labeling and handling guidelines. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect sensitive or confidential information (e.g., Company Confidential information should not be left unattended in conference rooms).
Information covered in this policy includes, but is not limited to, information that is received, stored, processed, or transmitted via any means. This includes electronic, hardcopy, and any other form of information regardless of the media on which it resides.
The acting information security officer and team will facilitate and maintain this policy and ensure all employees have reviewed and read the policy.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to Hamurlabs should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of the three following classifications.
Data should be classified as Restricted or Confidential when the unauthorized disclosure, alteration, or destruction of that data could cause a serious or significant level of risk to Hamurlabs or its customers. Examples of Sensitive data include data protected by state or federal privacy regulations (e.g. PHI & PII) and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted and Confidential Data:
Data should be classified as Internal Use when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to Hamurlabs or its customers. This includes proprietary, ethical, or privacy considerations. Data must be protected from unauthorized access, modification, transmission, storage or other use. This applies even though there may not be a civil statute requiring this protection. Internal Use Data is restricted to personnel who have a legitimate reason to access it. By default, all data that is not explicitly classified as Restricted/Confidential or Public data should be treated as Internal Use data. A reasonable level of security controls should be applied to Internal Use Data.
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to Hamurlabs and its customers. It is further defined as information with no existing local, national, or international legal restrictions on access or usage. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized alteration or destruction of Public Data.
The goal of information security, as stated in the Information Security Policy, is to protect the confidentiality, integrity, and availability of Corporate and Customer Data. Data classification reflects the level of impact to Hamurlabs if confidentiality, integrity, or availability is compromised. If a classification is not inherently obvious, consider each security objective using the following table as a guide. All data are to be assigned one of the following four sensitivity levels:
| CLASSIFICATION | DESCRIPTION |
|---|---|
| RESTRICTED |
Definition: Restricted information is highly valuable, highly sensitive business information and the level of protection is dictated externally by legal and/or contractual requirements. Restricted information must be limited to only authorized employees, contractors, and business partners with a specific business need. Potential Impact of Loss: SIGNIFICANT DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external to Hamurlabs. Impact could include negatively affecting Hamurlabs’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements, and posing an identity theft risk. |
| CONFIDENTIAL |
Definition: Confidential information is highly valuable, sensitive business information and the level of protection is dictated internally by Hamurlabs. Potential Impact of Loss: SIGNIFICANT DAMAGE would occur if Confidential information were to become available to unauthorized parties either internal or external to Hamurlabs. Impact could include negatively affecting Hamurlabs’s competitive position, damaging the company’s reputation, violating contractual requirements, and exposing geographic location of individuals. |
| INTERNAL USE |
Definition: Internal Use information is information originating within or owned by Hamurlabs, or entrusted to it by others. Internal Use information may be shared with authorized employees, contractors, and business partners who have a business need, but may not be released to the general public, due to the negative impact it might have on the company’s business interests. Potential Impact of Loss: MODERATE DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external to Hamurlabs. Impact could include damaging the company’s reputation and violating contractual requirements. |
| PUBLIC |
Definition: Public information is information that has been approved for release to the general public and is freely shareable both internally and externally. Potential Impact of Loss: NO DAMAGE would occur if Public information were to become available to parties either internal or external to Hamurlabs. Impact would not be damaging or a risk to business operations. |
| Handling Controls | Restricted | Confidential | Internal Use | Public |
|---|---|---|---|---|
| Non-Disclosure Agreement (NDA) | NDA is required prior to access by non-Hamurlabs employees. | NDA is recommended prior to access by non-Hamurlabs employees. | No NDA requirements | No NDA requirements |
| Internal Network Transmission (wired & wireless) | Encryption is required, Instant Messaging is prohibited, and FTP is prohibited | Encryption is recommended, Instant Messaging is prohibited, and FTP is prohibited | No special requirements | No special requirements |
| External Network Transmission (wired & wireless) | Encryption is required, Instant Messaging is prohibited, FTP is prohibited, and Remote access should be used only when necessary and only with VPN and two-factor authorization when possible | Encryption is required, Instant Messaging is prohibited, and FTP is prohibited | Encryption is recommended, Instant Messaging is prohibited, FTP is prohibited | No special requirements |
| Data at Rest (file servers, databases, archives, etc.) | Encryption is required, Logical access controls are required to limit unauthorized use, and Physical access restricted to specific individuals | Encryption is recommended, Logical access controls are required to limit unauthorized use, and Physical access restricted to specific groups | Encryption is recommended, Logical access controls are required to limit unauthorized use, and Physical access restricted to specific groups | Logical access controls are required to limit unauthorized use, and Physical access restricted to specific groups |
| Mobile Devices (iPhone, iPad, USB Drive, etc.) | Encryption is required, and Remote wipe must be enabled, if possible | Encryption is required, and Remote wipe must be enabled, if possible | Encryption is recommended, and Remote wipe should be enabled, if possible | No special requirements |
| Email (with and without attachments) | Encryption is required, and Do not forward | Encryption is recommended, and Do not forward | Encryption is recommended, and Do not forward | No special requirements |
| Physical Mail | Mark “Open by Addressee Only,” and Use “Certified Mail” and sealed, tamper-resistant envelopes for external mailings | Mark “Open by Addressee Only,” and Use “Certified Mail” and sealed, tamper-resistant envelopes for external mailings | Mail with company interoffice mail and US Mail or other public delivery systems | No special requirements |
