Information Classification and Management Policy

Purpose

The purpose of the Cyber Sentinel (Kaleidotech Investments) Information Classification and Management Policy is to provide a system for classifying and managing Information Resources according to the risks associated with its storage, processing, transmission, and destruction.

Audience

The Cyber Sentinel (Kaleidotech Investments) Information Classification and Management Policy applies to any individual, entity, or process that interacts with any Cyber Sentinel (Kaleidotech Investments) Information Resource.

Contents

Information Classification

Information Handling

Information Retention & Destruction

Responsibilities

Information User

  • The person, organization or entity that interacts with Information for the purpose of performing an authorized task.
  • Have a responsibility to use Information in a manner that is consistent with the purpose intended and in compliance with policy.

Information Owner

  • The person responsible for, or dependent upon, the business process associated with an information resource.
  • Is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.
  • Determines the appropriate value and classification of information generated by the owner or department.
  • Must communicate the information classification when the information is released outside of the department and/or Cyber Sentinel (Kaleidotech Investments).
  • Controls access to their information and must be consulted when access is extended or modified.
  • Must communicate the information classification to the Information Custodian so that the Information Custodian may provide the appropriate levels of protection.
  • Must periodically review their information to ensure the proper classification is applied.

Information Custodian

  • Maintains the protection of Information according to the information classification associated to it by the Information Owner.
  • Delegated by the Information Owner and is usually Information Technology personnel.

Policy

Information Classification

  • Information owned, used, created or maintained by Cyber Sentinel (Kaleidotech Investments) should be classified into one of the following three categories:
    • Public
    • Internal
    • Confidential
  • Public Information:
    • Is information that may or must be open to the general public.
    • has no existing local, national, or international legal restrictions on access or usage.
    • While subject to Cyber Sentinel (Kaleidotech Investments) disclosure rules, is available to all Cyber Sentinel (Kaleidotech Investments) employees and all individuals or entities external to the corporation.

Examples of Public Information include:

  • Publicly posted press releases,
  • Publicly available marketing materials,
  • Publicly posted job announcements.
  • Internal Information:
    • Is information that must be guarded due to proprietary, ethical, or privacy considerations.
    • Must be protected from unauthorized access, modification, transmission, storage or other use and applies even though there may not be a civil statute requiring this protection.
    • Is restricted to personnel designated by Cyber Sentinel (Kaleidotech Investments), who have a legitimate business purpose for accessing such Information.

Examples of Internal Information include:

  • Employment Information,
  • Business partner information where no more restrictive confidentiality agreement exists,
  • Internal directories and organization charts,
  • Planning documents,
  • Confidential Information:
    • Is information protected by statutes, regulations, Cyber Sentinel (Kaleidotech Investments) policies or contractual language. Information Owners may also designate Information as Confidential.
    • Is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.
    • Disclosure to parties outside of Cyber Sentinel (Kaleidotech Investments) must be authorized by executive management, approved by the Director of Information Technology and/or General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Information include:

  • Customer data shared and/or collected during the course of a consulting engagement,
  • Financial information, including credit card and account numbers,
  • Social Security Numbers,
  • Personnel and/or payroll records,
  • Any Information identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction,
  • Any Information belonging to an Cyber Sentinel (Kaleidotech Investments) customer that may contain personally identifiable information,
  • Patent information.

Information Handling

  • All Information should be labelled according to the Cyber Sentinel (Kaleidotech Investments) Labelling Standard.
  • Public:
    • Disclosure of Public Information must not violate any pre-existing, signed non-disclosure agreements.
  • Internal:
    • Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure.
    • Must be protected by a confidentiality agreement before access is allowed.
    • Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use.
    • Is the “default” classification level if one has not been explicitly defined.
  • Confidential:
    • When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords as defined in the Authentication Standard.
    • When stored on mobile devices and media, must be encrypted.
    • Must be encrypted at rest.
    • Must be stored in a locked drawer, room, or area where access is controlled by a cipher lock and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know.
    • Must not be transferred via unsecure communication channels, including, but not limited to:
      • Unencrypted email
      • Text messaging
      • Instant Messaging
      • Unencrypted FTP
      • Mobile devices without encryption
    • When sent via fax, must be sent only to a previously established and used address or one that has been verified as using a secured location.
    • When transmitted via USPS or other mail service, must be enclosed in a sealed security envelope.
    • Must not be posted on any public website.
    • Cyber Sentinel (Kaleidotech Investments) Management must be notified in a timely manner if Information classified as Confidential has been or is suspected of being lost or disclosed to unauthorized parties.

Information Retention & Destruction

  • All information stored by Cyber Sentinel (Kaleidotech Investments) must be stored in accordance with the Cyber Sentinel (Kaleidotech Investments) Data Retention Schedule.
  • All information maintained by Cyber Sentinel (Kaleidotech Investments) must include a documented timestamp or include a timestamp as part of metadata.
  • Information that is no longer required to be maintained by Cyber Sentinel (Kaleidotech Investments) is classified as “Expired” and must be destroyed in accordance with the Cyber Sentinel (Kaleidotech Investments) Media Reuse and Destruction Standard.
  • Information owners should be consulted prior to information destruction and may have the opportunity to extend Information expiration, given business needs and/or requirements for the extended retention.
  • Cyber Sentinel (Kaleidotech Investments) customers may have their own information retention requirements that supersede Cyber Sentinel (Kaleidotech Investments)’s requirements. Such customer requirements should be documented in contractual language.

 

Definitions

See Appendix A: Definitions

References

  • ISO 27002: 8, 14, 18
  • NIST CSF: ID.AM, PR.DS, PR.IP
  • Authentication Standard
  • Data Retention Schedule
  • Labelling Standard
  • Media Reuse and Destruction Standard

Waivers

Waivers from certain policy provisions may be sought following the Cyber Sentinel (Kaleidotech Investments) Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.