Scribd Logo
Upload

Welcome to Scribd!

  • Information Classification Policy

    Uploaded by

    jldtecno
    81 views5 pages
    This document outlines an information classification policy for an organization. It defines four classification levels - Public, Internal, Confidential, and Secret - and provides examples for each. It assigns responsibilities for information users and owners. It also describes how compliance will be measured, exceptions handled, and violations addressed. The purpose is to classify information assets by sensitivity and criticality for information security.

    Original Description:

    jhg

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines an information classification policy for an organization. It defines four classification levels - Public, Internal, Confidential, and Secret - and provides examples for each. It assigns responsibilities for information users and owners. It also describes how compliance will be measured, exceptions handled, and violations addressed. The purpose is to classify information assets by sensitivity and criticality for information security.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    81 views5 pages

    Information Classification Policy

    Uploaded by

    jldtecno
    This document outlines an information classification policy for an organization. It defines four classification levels - Public, Internal, Confidential, and Secret - and provides examples for each. It assigns responsibilities for information users and owners. It also describes how compliance will be measured, exceptions handled, and violations addressed. The purpose is to classify information assets by sensitivity and criticality for information security.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 5

    [Organization Name]

    INFORMATION CLASSIFICATION
    POLICY

    Version 1.0
    Document type Policy
    Document owner
    Document location
    Effective from
    Status
    Approved by
    Classification
    [organization‘s logo]

    APPROVAL HISTORY
    VERSION DATE APPROVED BY DEPARTMENT
    1.0

    REVISION HISTORY
    VERSION DATE CREATED BY DESCRIPTION OF CHANGES
    1.0 01.01.2023 Aron Lange Initial release

    Table of Contents
    1 PURPOSE..............................................................................................................................3
    2 SCOPE...................................................................................................................................3
    3 TERMS AND DEFINITIONS.....................................................................................................3
    4 RELATED DOCUMENTS..........................................................................................................3
    5 POLICY..................................................................................................................................3
    5.1 Responsibilities.................................................................................................................3
    5.2 Information classification scheme....................................................................................4
    5.3 Communication................................................................................................................5
    6 COMPLIANCE........................................................................................................................5
    6.1 Measurement...................................................................................................................5
    6.2 Exceptions.........................................................................................................................5
    6.3 Violations..........................................................................................................................5

    2
    [Classification]
    [organization‘s logo]

    1 PURPOSE

    The purpose of this policy is to define the rules and guidelines for classifying information
    according to its sensitivity and criticality for information security.

    2 SCOPE
    This policy applies to all information assets that are owned, used, or managed by the
    organization, regardless of their format, location, or medium. This policy also applies to all
    employees, contractors, consultants, and other parties who have access to the organization's
    information assets.

    3 TERMS AND DEFINITIONS


    ISMS information security management system

    4 RELATED DOCUMENTS
    The following documents are related to this policy:

     Information Security Policy


     Information Handling Policy
     Information Access Control Policy
     Information Retention and Disposal Policy
     Information Breach Response Policy

    5 POLICY
    5.1 Responsibilities

    5.1.1. Information user: responsible for accessing and using the information asset in
    accordance with the information classification level and the information handling
    policy, and for reporting any breach or incident involving the information asset to the
    information (asset) owner.

    5.1.2. Information (Asset) Owner: Responsible for classifying, reviewing, and updating the
    information asset, and for approving the access and use of the information asset by the
    information user.

    3
    [Classification]
    [organization‘s logo]

    5.2 Information classification scheme

    The organization shall Classify all information assets according to their sensitivity and criticality
    for information security, using the following classification levels:

    Public: Information that can be freely disclosed or shared with anyone, without any restrictions
    or consequences. Disclosure of public information would cause no harm to the organization.

    Examples
     The organization's website, social media, and press releases
     The organization's annual reports, financial statements, and sustainability reports
     The organization's products, services, and customer testimonials

    Internal: Information that can be disclosed or shared within the organization, but not with
    external parties, without authorization or approval. Disclosure of internal information would
    cause minor reputational damage or minor operational impact.

    Examples
    - The organization's policies, procedures, and guidelines
    - The organization's employee directory, newsletter, and intranet
    - The organization's performance reviews, training records, and feedback surveys

    Confidential: Information that can be disclosed or shared only with specific individuals or
    groups, who have a legitimate need to know, and who are bound by confidentiality agreements
    or obligations. Disclosure would have a significant short-term impact on operations or business
    objectives

    Examples
    - The organization's business plans, strategies, and budgets
    - The organization's contracts, agreements, and proposals
    - The organization's customer data, personal data, and intellectual property

    Secret: Information that can be disclosed or shared only with the highest level of authorization
    or approval, and only with the minimum number of individuals or groups, who have a critical
    need to know, and who are bound by the strictest confidentiality agreements or obligations.
    Disclosure of secret information would have a serious impact on long term business objectives
    or put the survival of the organization at risk.

    Examples
    - The organization's mergers, acquisitions, and divestitures
    - The organization's security incidents, breaches, and investigations
    4
    [Classification]
    [organization‘s logo]

    - The organization's trade secrets, research and development, and innovation projects
    5.3 Communication

    5.3.1. The information classification policy shall be communicated to all persons within the
    scope of the ISMS by [describe when and how to communicate or reference to a
    communications plan].

    5.3.2. This policy may (not) be shared and communicated with interested parties.

    6 COMPLIANCE
    The organization shall ensure the compliance and effectiveness of the information classification
    policy and its implementation, and handle any exceptions, deviations, or violations accordingly.

    6.1 Measurement
    The organization shall measure the compliance and effectiveness of the information
    classification policy and its implementation, using the following methods:

     Periodic audits and reviews of the information assets and their classification levels and
    labels
     Periodic surveys and feedback from the information owners, users, and custodians
     Periodic reports and statistics on the information security incidents and breaches
    involving the information assets

    6.2 Exceptions
    The organization shall handle any exceptions or deviations from the information classification
    policy and its implementation, using the following procedures:

     [role] shall document and justify the exception or deviation, and obtain the approval
    from the senior management or the information security committee
     [role] shall communicate and implement the exception or deviation, and monitor and
    evaluate its impact and outcome
     [role] shall review and update the exception or deviation, and report any issues or
    incidents to the senior management or the information security committee

    6.3 Violations
    Members of the organization found to have violated this policy may be subject to disciplinary
    action, up to and including termination of employment.

    5
    [Classification]

    You might also like