Data Classification Standard
Purpose
This standard provides the handling requirements for data based on their classification.
Scope
This standard applies to all Uncanny Software employees.
Standard Statement
NIST Special Publication 800-88, “Guidelines for Media Sanitization”, defines the terms and methods for sanitizing hard drives and other media.
SENSITIVE
- Social Security number, full and truncated; - Driver's license and other government identification numbers; - Background check reports - Biometrics - Financial information, medical information, disability information; - Law enforcement information, employment information, educational information, and military records; - Merger and acquisition documents - Corporate level strategic plans - Vulnerability assessment reports - Pending merger, acquisition or divestiture plans - Credit cards or debit card numbers
- Secure email via PGP encryption, or TLS with file-level encryption for information sent - Communicate file-level encrypted information via VPN, SSH, or SFTP protocols - Mail information via registered mail service provider, and request tracking number - Print only when necessary and cross-cut shred the hardcopy when no longer needed - Do not store information on removable media, or fax without a proper cover sheet - Ensure applications used have TLS for data in transit - Scanned documents must be secured - Access to information must be restricted to authorized individual. NDA must be in place in order to disclose the information
CONFIDENTIAL
- Employee performance evaluations - Customer transaction data - Strategic alliance agreements - Computer passwords - Internal audit reports - Regulatory exam reports - Business unit strategic operating plans or budgets - Business Continuity plan and Disaster Recovery Plans - Customer contracts - Voicemail messages - Encryptions keys or passwords - Network design document
- Secure email with TLS - Consider using file-level encryption for information sent - Communicate information via VPN, SSH, or SFTP protocols - Mail information via an approved provider - Print only when necessary and cross-cut shred the hardcopy when no longer needed - Do not store on removable media - Ensure applications used have TLS for data in transit - Scanned documents must be secured - Access to information must be restricted to authorized individual. NDA must be in place for disclosing the information
PRIVATE
- Employee training materials - Application source codes - Internal policy manuals - Reports, or working papers - Company demographics - Equipment inventories
- Secure email with TLS - Communicate information via SSH or SFTP protocols - Ensure applications used have TLS for data in transit - Access to information is generally unrestricted for individuals within the company. Information must not be accessible to the general public.
PUBLIC
- Product and service brochures - Advertisements - Job opening announcements - Press Releases
- Secure email with TLS - Access to information is generally unrestricted for individuals within the company. Information must not be accessible to the general public.
Violations
Any violation of this standard may result in disciplinary action, up to and including termination of employment.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this standard, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
References
ISO/IEC 27002:2013 - 8.2.1 Classification of Information ISO/IEC 27002:2013 - 8.2.2 Labeling of Information
Related Documents
Revision History
Last updated