MoD: SparQ Created Date: 1/11/2019 SC: INTERNAL

SparQ Information Classification

I. Background

In order to meet the requirement from the control objective A8.2 of ISO2700 Information Security
Management System framework ‘Information Classification’, and instructs that organisations
“ensure that information receives an appropriate level of protection”. All SparQ information
assets which under the responsibility of sub departments need to be classified. This would help
SparQ having an extra protection and appropriate methods to secure valued information assets.
Information Classification also help employees aware about their responsibility when they
access/handle/share information to internal/external customers.

II. Policy for Information Classification, Labelling and Handling

a. Information Classification
Head of Department (HoD): HoD is responsible for the organization of the information
classification process for all information assets that fall under his department. HoD may
delegate this task to another employee in his department and this person need to be
nominated and fully trained. HoD need also review all the tasks of nominated person in order
to double check requirement on the information classification process.
Master of Data (MoD): The MoD is responsible for classify all documents that was generated
by him.
b. Information Labelling
Master of Data (MoD): MoD also need to mark the protection level (information labelling) on
his documents.
c. Information Handling
SparQ’s employees: All of employees need to be aware about the labelling on information
assets/documents that have been marked by MoD. Employees need to be followed
Information Handling rules that applicable for different type of classified information.
MoD: SparQ Created Date: 1/11/2019 SC: INTERNAL

III. Information Classification/Labelling/Handling

a. Information Life Cycle

Create

Dispose Organize/Store

Maintain Use/Access/Transfer

b. Information Classification/Labelling/Handling Matrix

This matrix has also been attached into SparQ – Information Asset
MoD: SparQ Created Date: 1/11/2019 SC: INTERNAL
CREATE ORGANIZE HANDLING MAINTAIN DISPOSE
SECURITY CLASS DESCRIPTION SAMPLE DOCUMENTS
PHYS & ADMIN RETENTION/ARCHIVIN DESTRUCTION/
LABELLING STORE REPRODUCTION DISTRIBUTION
CONTROLS G DISPOSAL
Marketing materials authorized for public
Information that may be broadly distributed without causing damage
release such as advertisements, brochures, No specific
PUBLIC to SparQ, its employees, stakeholders, public. The information also None None Unlimited No restrictions Archive for 1 year Recycling/trash
published annual accounts, Internet Web pages, requirements
deos not require any seuciry implications on it.
catalogues, external vacancy notices
Most corporate information falls into this
category.
Internal: use an internal mail
Paper documents: shred.
Master of Data Limited copies may envelope.
Departmental memos, information on internal (can use external shredding
Information whose unauthorized disclosure, particularly outside the Apply traditional IT (MoD) responsible be made only by
bulletin boards, training materials, policies, services)
organization, would be inappropriate and inconvenient. services such as for proper markings. employees, or by External: use a sealed envelope.
operating procedures, work instructions, Put “INTERNAL"
Access Control List contractors and third
INTERNAL guidelines, phone and email directories, on the header of Archive for 3 year Electronic data: erase or
Disclosure to anyone outside of SparQ requires management (ACL) to manage Users: responsible parties who have Electronic: use internal email
marketing or promotional information (prior document template degauss magnetic media.
authorization. Low to medium security level to protect the permission on the for proper storage signed an appropriate system to transfer information.
to authorized release), investment options. Send CDs, DVDs, dead hard
information. information and document nondisclosure
transaction data, productivity reports, drives, laptops etc. to IT for
control. agreement. FAXing: take care over the FAX
disciplinary reports, contracts, Service Level appropriate disposal
number!
Agreements, internal vacancy notices, intranet
Web pages
MoD: responsible
for ensuring that Internal: use a sealed envelop
confidential inside an internal mail envelope.
Apply combined IT
information is Hand deliver if possible.
services/security to
distributed on a External: use a plain sealed
secure the Paper documents: shred
Highly sensitive or valuable information. Must not be disclosed strict need-to-know envelope. Hand deliver or send
information (e.g. Limited copies may using an approved cross-cut
outside of SparQ without the explicit permission of a approval from basis. by registered mail, courier etc .
Passwords and PIN codes, VPN tokens, credit ACL, Firewall, be made only by shredder.
management (e.g. HoD, board of management). This type of Put Electronic: use internal email
and debit card numbers, personal information Locked cabinets for permission of
information is onlily limited to specific groups/teams/specificed “CONFIDETIAL" Users: responsible system only. Also, email
CONFIDENTIAL (such as employee HR records, Social Security paper documents) originator or his/her Archive for 5 year Electronic data: erase or
projects. on the header of for ensuring that encryption is required when
Numbers), most accounting data, other highly designates. A signed degauss magnetic media.
document template confidential sending confidential information
sensitive or valuable proprietary information Also, two factor authorization slip will Send CDs, DVDs, dead hard
High security level will be applied in order to protect the information is kept to outside of SparQ
authentication is be presented. drives, laptops etc. to IT for
information. for them and FAXing: requires phone
required to access appropriate disposal.
authorized confirmation of receipt of a test
this type of
person/avoid sharing page immediately prior to
information
password to non sending the FAX, and phone
authorized confirmation of full receipt.
parties/person

MoD: responsible
for ensuring that
strictly confidential
information is
distributed on a
Internal: use a sealed envelop
Apply combined IT strict need-to-know
inside an internal mail envelope.
services to secure basis.
Hand deliver is required
the information
External: use a plain sealed
(e.g. ACL, Users: responsible Paper documents: shred
Avoid number of envelope with extra physical
Firewall). for ensuring that using an approved cross-cut
copies as much as security (e.g. metal box with
confidential shredder.
Top secret information of SparQ.Only available for top level of Put “STRICTLY possible. Copies need combined locked). Hand deliver
Two factor information is kept
managemennt (e.g. CEO, board of management, key stake holders). Stregic business plan, Company's intellectual CONFIDETIAL" to be approved by top or send by registered mail,
STRICTLY CONFIDENTIAL authentication is for them and Archive for 10 year Electronic data: erase or
properties. on the header of management level. courier etc .
required to access authorized degauss magnetic media.
Very high security level for this type of information. document template Copies version need Electronic: use internal email
this type of person/avoid sharing Send CDs, DVDs, dead hard
to have the same system only. Also, email
information. password to non drives, laptops etc. to IT for
security level on it. encryption is required when
authorized appropriate disposal.
sending confidential information
Data also must be parties/person.
to outside of SparQ. Receiver
encrypted when Apply approriated
also need to have apply two
store security measures
factor authentication
(e.g. data
encryption) to
increase the
information security
level.
MoD: SparQ Created Date: 1/11/2019 SC: INTERNAL

IV. Propose Process for Information Classification

FROM
Business Processes
(1)

IDENTIFY
REVIEW
Information Assets
(5)
(2)

DETERMINE CLASSIFY
Extra Protection (Y/N) Information Assets
(4) (3)