Information Classification Policy
Purpose
This policy provides the basis for protecting the confidentiality of data at Uncanny Software by establishing a data classification system. Further policies and standards will specify handling requirements for data based on their classification.
Scope
This policy applies to all Uncanny Software computer systems and facilities, with a target audience of all employees and partners.
Policy
Asset Ownership
Information Ownership - All production information possessed by or used by a particular organizational unit must have a designated Information Owner who is responsible for determining appropriate sensitivity classifications and criticality ratings, making decisions about who can access the information, and ensuring that appropriate controls are utilized in the storage, handling, distribution, and regular usage of information.
Information Technology Department Ownership Responsibility - With the exception of operational computer and network information, the Information Technology Department must not be the Owner of any production business information.
Asset Classification
Four-Category Data Classification - All Uncanny Software data must be broken into the following four sensitivity classifications: SENSITIVE, CONFIDENTIAL, PRIVATE, and PUBLIC. Distinct handling and review procedures must be established for each classification.
Data Classification Descriptions - The following descriptions are used for identifying and labeling each sensitivity classification for all Uncanny Software information.
SENSITIVE
This classification label applies to the most sensitive business information that is intended for use strictly within Uncanny Software. Its unauthorized disclosure could seriously and adversely impact Uncanny Software or its customers, business partners, suppliers, or its employees. Examples include personal identifiable information (PII), merger and acquisition documents, corporate level strategic plans, baking information, business continuity plan, and vulnerability assessment reports.
CONFIDENTIAL
This classification label applies to less-sensitive business information that is intended for use within Uncanny Software. Its unauthorized disclosure could adversely impact Uncanny Software or its customers, suppliers, business partners, or its employees. Information that some people would consider to be private is included in this classification. Examples include employee performance evaluations, customer transaction data, strategic alliance agreements, computer passwords, and internal audit reports.
PRIVATE - FOR INTERNAL USE ONLY
This classification label applies to all other information that does not clearly fit into the previous two classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact Uncanny Software or its employees, suppliers, business partners, or its customers. Examples include the Uncanny Software telephone directory, employee training materials, source codes, and internal policy manuals.
PUBLIC
This classification applies to information that has been approved by Uncanny Software management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases.
Default Classification - Information without a label is by default classified as Internal Use Only.
Asset Labeling
Assigning Data Classification Labels - For all existing production information types, the Information Owner is responsible for choosing an appropriate data classification label to be used by all workers who create, compile, alter, or procure production information. Multiple Classification Labeling - When information of various sensitivity classifications is combined, the resulting collection of information must be classified at the most restricted level found anywhere in the sources.
Data Classification Labeling - All sensitive, confidential, and private information must be labeled according to policies and standards issued by the Information Security Department, while information not falling into one or more of these categories need not be labeled.
Labels For Externally-Supplied Information - With the exception of general business correspondence and copyrighted software, all externally-provided information that is not clearly in the public domain must receive a Uncanny Software data classification system label. The Uncanny Software worker who receives this information is responsible for assigning an appropriate classification on behalf of the external party.
Declassification And Downgrading
Notifications - The designated information Owner may, at any time, declassify or downgrade the classification of information entrusted to his or her care. To achieve this, the Owner must change the classification label appearing on the original document, notify all known recipients.
Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
Definitions
Confidential Information (Sensitive Information) – Any Uncanny Software information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by Uncanny Software from a third party under a non-disclosure agreement.
Information Asset - Any Uncanny Software data in any form, and the equipment used to manage, process, or store Uncanny Software data, that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and partner data.
Partner - Any non-employee of Uncanny Software who is contractually bound to provide some form of service to Uncanny Software.
References
ISO/IEC 27002:2013 - 8.2.1 Classification of Information ISO/IEC 27002:2013 - 8.2.2 Labeling of Information ISO/IEC 27002:2013 – 8.2 Information classification ISO/IEC 27002:2013 – 18.1.4 Privacy and protection of personally identifiable information.
Related Documents
Revision History
Last updated