Policy Template for Information Classification

The purpose of this policy is to assist {{organization.name}} employees in determining what information can be disclosed to non-employees, as well as the relative sensitivity of the information that should not be disclosed outside of {{organization.name}} without proper authorization.

This policy covers all information assets owned and operated by {{organization.name}} including (but not limited to), information (electronic & non-electronic), associated IT infrastructure such as software, networks, desktops, laptops, servers. Further, this policy is applicable to the owners, custodians and all users (employees, consultants and contractors) of such information assets.

All information assets (electronic and non-electronic) shall have designated owners and classified in accordance with information classification guidelines stated in this document.

All {{organization.name}} employees, consultants and contractors who handle information in {{organization.name}}’s custody or under its control is responsible for understanding and implementing this policy.

Where a third party will be responsible for handling the information on behalf of the {{organization.name}}, the third party shall be required by contract to adhere to this policy prior to the sharing of information.

All information and related IT assets in {{organization.name}} shall be clearly identified and owned. This shall include information assets, physical IT assets and IT services.

All information at {{organization.name}} is subject to proper handling standards documented in Data Handling Controls. This document provides instructions on how to manage low/med/high items (also known as public/sensitive/confidential) information and can be applied unviersally to documents, communications, secrets, systems, assets, devices, etc.  Data Handling Controls are referenced by other policies as-needed and provide the backbone for information management. 

{{organization.name}} shall classify, record and maintain an inventory of information assets. The asset inventory shall include a list of all information assets owned and operated by {{organization.name}} including, but not limited to, information in an electronic and non-electronic form.

The organization shall maintain an inventory of all information assets including details on asset ownership, classification and location. The asset inventory listing shall be reviewed and updated by management on an as-needed basis.

Information in a ‘final’ or published state that is either in the custody of or produced and owned by {{organization.name}} must be classified into one of the following three categories:

• Public — Information that is not confidential and can be made public without any implications for the organization. Such information is available to the public, employees, consultants and contractors without any authorization.

• Internal — information that is available to employees and authorized non-employees (consultants and contractors) possessing a need to know for business-related purposes.

• Confidential — information that is sensitive within {{organization.name}} and is intended for use only by specified groups of employees. A breach of such information could cause serious embarrassment and possibly undermine public trust in the organization.

In some of the circumstances, the confidential information might have to be disclosed to outsiders such as statutory auditors, external consultants, regulatory & legislative bodies etc. The asset owner shall use his discretion with responsibility in getting NDAs signed from such outsiders. Even after such disclosure, the classification still remains ‘confidential’ and does not become ‘public’.

The information and its related assets shall be classified and clearly labelled so that all users are aware of the ownership and classification of the information.

Any information which is not explicitly classified will be classified as “Confidential”, by default to avoid data leakage.

Information and its related IT assets shall be processed and stored strictly in accordance with the classification levels assigned to those assets. All information assets must be secured to meet the requirements of their respective classification levels.

Access to the information assets shall be the responsibility of a designated owner or custodian. All information classified as Internal or Confidential must have security controls applied which are sufficient to ensure that the information is accessible only to those users who are authorized for access.

Any information, which needs to be disclosed or published outside {{organization.name}} – to the media, press etc. shall be done explicitly by or through corporate communications and based on authorization.