Your Basket
Cyber security for any size of business
CREST member company
Team of friendly certified experts
Data Classification Policy Template

Data Classification Policy Template

STATEMENT

The aim of this Policy is to enable the business to operate effectively and efficiently, to comply with legislation, regulations, information standards (ISO/IEC27001, PCI-DSS, CE & CE Plus) and good practice, and to safeguard information and data against potential loss by theft, malicious or accidental damage, or breach of privacy or confidentiality.

PURPOSE

The purpose of this policy is to define data classification schema within {company_name}. {company_name} provides fast, efficient and cost effective information security and penetration testing services. It is critical for {company_name} to set the standard for the protection of information assets from unauthorised access and compromise or disclosure. {company_name} has adopted this data classification policy to help manage and protect its information assets.

All {company_name} staff share in the responsibility for ensuring that {company_name} information assets receive an appropriate level of protection by observing this Information Classification policy:

  • Company Managers or information ‘owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system presented below. (‘Owners” have approved management responsibility. ‘Owners’ do not have property rights.)
  • Where practicable, the information category shall be embedded in the information itself.
  • All {company_name} staff shall be guided by the information category in their security-related handling of Company information.
  • All Company information and all information entrusted to Company from third parties falls into one of four classifications in the table below, presented in order of increasing sensitivity

SCOPE

This policy covers all information assessments present at {company_name}.

POLICY

Unclassified/Public/None

Information is not confidential and can be made public without any implications for {company_name}. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital. Documents in the public domain available from our website, our support desk and our social media channels. Examples include:

  • Product brochures widely distributed
  • Information widely available in the public domain, including publicly available Company web site areas
  • Sample downloads of Company software that is for sale
  • Financial reports required by regulatory authorities
  • Newsletters for external transmission

Internal Use {replace_with_your_term}

Information is not confidential and but should not be made public. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.

Documents in the public domain available from our website, our support desk and our social media channels. Examples include:

  • Internal control documents

Client Confidential {replace_with_your_term}

Information received from clients in any form for processing in production by {company_name}. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

Client data:

  • All customer data including sales, testing, consultative and accounts data and accounts and account management
  • All back office support data on client calls and any specific communication to clients

Confidential {replace_with_your_term}

Information collected and used by {company_name} in the conduct of its business to employ people, to log and fulfil client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

  • Salaries and other personnel data
  • Accounting data and internal financial reports • Confidential customer business data and confidential contracts
  • Non-disclosure agreements with clients/vendors
  • Company business plans

COMPLIANCE

Compliance Measurement

The {company_name} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exceptions to the policy must be approved by the CEO in advance.

Non-Compliance                                                                             

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

                                                                                                         

Download the Template Policy

Sign up to our newsletter

Keep up to date with the latest cyber security news and updates with our newsletter