Mysale Information Classification 101 How to classify and label Mysale Group Information and Data Sensitivity: PUBLIC Date:14.07.2017 Class: COMPANY DATA Owner: CISO
Why do we need to classify information and data? Not all information and data are equal We need to ensure that sensitive information does not leak out by error, or without authorisation We need to know which systems the sensitive information is stored at to protect them correspondingly, and who are its owners who can grant access to others It is needed to be certified to both PCI DSS and ISO27001
Our Classification Levels Information authorised for release to the general public Public Information that is limited to everyone at Mysale Group Internal Information that is limited to specific departments, teams or people Confidential Information restricted to senior managers /directors only Highly Confidential
Other Security Label Content Owner, responsible for creation, updates, and granting access to the document Owner is a role, not an employees name! Been a document owner does not imply any intellectual property right to it! Date of the document creation or modification, as we don’t have an automated version control Customer Data or Company Data label to distinguish Mysale information from that of our customers
How security footers look like? Sensitivity: Public Date: 07.07.2017 Class: Company Data Owner: Marketing Director Sensitivity: Internal Date: 07.07.2017 Class: Company Data Owner: Sales Manager Sensitivity: Confidential Date: 07.07.2017 Class: Customer Data Owner: Financial Director Please use the headed paper provided for your convenience at <address>
Key Docs on Classification Data Classification Matrix Details on how do we assign it and what it means Data Classification Standard Description of classification levels Data Classification Policy Overall rules on data security
May be distributed without damage to the company or individuals Public Information May be distributed without damage to the company or individuals Examples: ads, external vacancy posts, website content Distribution: must be approved prior to public release with correctness checked prior to the release Exceptions: public posts that constitute a part of a job (e.g. blogging for advertisement purpose) Reproduction: unlimited Disposal: operating system delete, paper bins Security risks: loss, distortion, plagiarism by competitors
Internal Information All unlabeled documents are Internal by default and must be treated as such Examples: policies, procedures, work instructions, meeting invitations, calendars, time sheets, blank company headed paper Distribution: May be distributed within the company only. Exceptions: Can be delivered to third parties with whom an NDA has been signed as a part of a contract or a standalone document. These may include consultants, vendors, auditors etc. Reproduction: Limited copies to Mysale employees Disposal: delete and empty the Recycle Bin, shred paper Security risks: loss, leak to unauthorised third parties
Confidential Information Unless agreed otherwise and approved by your manager, all Customer Data is Confidential by default! Examples: banking details, credit card data, login credentials and keys, personal data of employees Distribution: only to employees who work with such data, typically limited to a specific department or team Exceptions: senior management. External release only when required by a court order or to law enforcement agencies Reproduction: on the need to know basis Disposal: secure deletion where possible, shred paper Security risks: loss, leak to outsiders, inside leaks to employees who must not have access to such information Please keep in mind that all incidents involving Confidential data will be treated as Serious and escalated to C-level
Highly Confidential Information Examples: board meeting notes, strategic business programs or plans Distribution: senior management/company directors only. No storage on shared resources to which other employees have access Exceptions: none. External release only when required by a court order or to law enforcement agencies Reproduction: on the need to know basis amongst senior managers Disposal: secure deletion, shred paper documents Security risks: loss, leak to outsiders, inside leaks to employees who must not have access to such information Please keep in mind that all incidents involving Highly Confidential data are Serious and will lead to disciplinary/legal actions
Handling Highly/Confidential Information Do not copy to your own devices Do not take off Mysale premises Do not copy to shared drives not already containing it and approved to do so Do not send it to mail lists which may include recipients not authorised to view it Do not leave paper copies lying around unattended. Lock them up or shred if obsolete. Hard drives of mobile computers holding it must be encrypted by IT Support Any cloud resources holding it must be IT-approved and have two factor authentication turned on Use secure deletion tools recommended by IT to erase it
How to label a new document In a new document, select and download the required template from Document Portal Insert you role and the date of document creation into the corresponding footer fields Save
How to label an existing document Copy and paste the required footer from a corresponding classification level template at Document Portal Insert you role and the date of document creation into the corresponding footer fields Save
How to label a presentation Create a new sheet called “Document Control” Insert “Sensitivity”, “Class”, “Date”, and “Role” fields into this sheet Fill these in in exactly the same manner as you would do with a document classification footer and save
Finally… You do not have to go through all company docs you have and label everything right now, but Label the existing documents as you amend them Label new documents as you create them Always label all Highly Confidential and Confidential information first If in doubt about data sensitivity: Check the Data Classification Matrix at Document Portal Ask your manager about it