Mysale Information Classification 101 How to classify and label Mysale Group Information and Data

Why do we need to classify information and data? Not all information and data are equal We need to ensure that sensitive information does not leak out by error, or without authorisation We need to know which systems the sensitive information is stored at to protect them correspondingly, and who are its owners who can grant access to others It is needed to be certified to both PCI DSS and ISO27001

Our Classification Levels Information authorised for release to the general public Public Information that is limited to everyone at Mysale Group Internal Information that is limited to specific departments, teams or people Confidential  

Other Security Label Content Owner, responsible for creation, updates, and granting access to the document Owner is a role, not an employees name! Been a document owner does not imply any intellectual property right to it! Date of the document creation or modification, as we don’t have an automated version control Customer Data or Company Data label to distinguish Mysale information from that of our customers

How security footers look like? Sensitivity: Public Date: 07.07.2017 Class: Company Data Owner: Marketing Director Sensitivity: Internal Date: 07.07.2017 Class: Company Data Owner: Sales Manager Sensitivity: Confidential Date: 07.07.2017 Class: Customer Data Owner: Financial Director Please use the headed paper provided for your convenience at <address>

Key Docs on Classification Data Classification Policy Overall rules on data security Data Classification Standard Description of classification levels Data Classification Matrix Details on how do we assign it and what it means

May be distributed without damage to the company or individuals Public Information May be distributed without damage to the company or individuals Examples: ads, external vacancy posts, website content Distribution: must be approved prior to public release with correctness checked prior to the release Exceptions: public posts that constitute a part of a job (e.g. blogging for advertisement purpose) Reproduction: unlimited Disposal: operating system delete, paper bins Security risks: loss, distortion, plagiarism by competitors

Internal Information All unlabeled documents are Internal by default and must be treated as such Examples: policies, procedures, work instructions, meeting invitations, calendars, time sheets, blank company headed paper Distribution: May be distributed within the company only. Exceptions: Can be delivered to third parties with whom an NDA has been signed as a part of a contract or a standalone document. These may include consultants, vendors, auditors etc. Reproduction: Limited copies to Mysale employees Disposal: delete and empty the Recycle Bin, shred paper Security risks: loss, leak to unauthorised third parties

Confidential Information Unless agreed otherwise and approved by your manager, all Customer Data is Confidential by default! Examples: banking details, credit card data, login credentials and keys, personal data of employees Distribution: only to employees who work with such data, typically limited to a specific department or team Exceptions: senior management. External release only when required by a court order or to law enforcement agencies Reproduction: on the need to know basis Disposal: secure deletion where possible, shred paper Security risks: loss, leak to outsiders, inside leaks to employees who must not have access to such information Please keep in mind that all incidents involving Confidential data will be treated as Serious and escalated to C-level

Confidentiality Controls Do not copy Confidential information to your own devices Do not take Confidential information off Mysale premises Do not copy Confidential information to shared drives not already containing it and approved to do so Do not send Confidential information to mail lists which may include recipients not authorised to view it Do not leave paper copies of Confidential information lying around unattended. Lock them up or shred if obsolete. Hard drives of mobile computers holding Confidential information must be encrypted by IT Support Any cloud resources holding Confidential information must be IT-approved and have two factor authentication turned on Use secure deletion tools recommended by IT to erase it

How to label a new document In a new document, select and download the required template from <address> Insert you role and the date of document creation into the corresponding footer fields Save

How to label an existing document Copy and paste the required footer from a corresponding classification level template at <address> Insert you role and the date of document creation into the corresponding footer fields Save

How to label a presentation Create a new sheet called “Document Control” Insert “Sensitivity”, “Class”, “Date”, and “Role” fields into this sheet Fill these in in exactly the same manner as you would do with a document classification footer and save

Finally… You do not have to go through all company docs you have and label everything right now, but Label the existing documents as you amend them Label new documents as you create them Always label all Confidential information first If in doubt about data sensitivity: Check the Data Classification Matrix at <address> Ask your manager about it