To get started, use this data classification policy template and customize it to your needs.

Use
this policy to classify customer data, internal communications, and company information by
sensitivity, type, and value.

Data Classification Policy

Purpose

This policy will assist employees and other third-parties with understanding [COMPANY
NAME]’s information labeling and handling guidelines. It should be noted that the sensitivity
level definitions were created as guidelines and to emphasize common sense steps that you
can take to protect sensitive or confidential information (e.g., Company Confidential information
should not be left unattended in conference rooms).

Scope

This policy applies to all information owned, managed, controlled, or maintained by [COMPANY
NAME] Information covered in this policy includes, but is not limited to, information that is
received, stored, processed, or transmitted via any means. This includes electronic, hardcopy,
and any other form of information regardless of the media on which it resides.

Roles and Responsibilities

<ROLES AND RESPONSIBILITIES>

Policy

a) Definitions

● Confidential/Restricted Data. Generalized terms that typically represent data

classified as Sensitive or Private, according to the data classification scheme
defined in this policy

● Internal Data. All data owned or licensed by [COMPANY NAME].

● Public Information. Any information that is available within the public domain.

b) Data Classification Scheme

Data classification, in the context of information security, is the classification of data

based on its level of sensitivity and the impact to [COMPANY NAME] should that data be
disclosed, altered, or destroyed without authorization. The classification of data helps
determine what baseline security controls are appropriate for safeguarding that data. All
data should be classified into one of the three following classifications.

● Confidential/Restricted Data
To get started, use this data classification policy template and customize it to your needs. Use
this policy to classify customer data, internal communications, and company information by
sensitivity, type, and value.

Data should be classified as Restricted or

Confidential when the unauthorized
disclosure, alteration, or destruction of that data could cause a serious or
significant level of risk to [COMPANY NAME] or its customers. Examples of
sensitive data include data protected by state or federal privacy regulations (e.g.
PHI & PII) and data protected by confidentiality agreements. The highest level of
security controls should be applied to Restricted and Confidential Data:

○ Disclosure or access to Restricted and Confidential data is limited to

specific use by individuals with a legitimate need-to-know. Explicit
authorization by the Security Officer is required for access to because of
legal, contractual, privacy, or other constraints.
○ Must be protected to prevent loss, theft, unauthorized access, and/or
unauthorized disclosure.
○ Must be destroyed when no longer needed. Destruction must be in
accordance with Company policies and procedures.
○ Will require specific methodologies, procedures, and reporting
requirements for the response and handling of incidents.

● Internal Use Data

Data should be classified as Internal Use when the unauthorized disclosure,

alteration, or destruction of that data could result in a moderate level of risk to
[COMPANY NAME] or its customers. This includes proprietary, ethical, or privacy
considerations. Data must be protected from unauthorized access, modification,
transmission, storage or other use. This applies even though there may not be a
civil statute requiring this protection. Internal Use Data is restricted to personnel
who have a legitimate reason to access it. By default, all data that is not explicitly
classified as Restricted/Confidential or Public data should be treated as Internal
Use data. A reasonable level of security controls should be applied to Internal
Use Data.

● Public Data

Data should be classified as Public when the unauthorized disclosure, alteration

or destruction of that data would result in little or no risk to [COMPANY NAME]
and its customers. It is further defined as information with no existing local,
national, or international legal restrictions on access or usage. While little or no
controls are required to protect the confidentiality of Public data, some level of

control is required to prevent unauthorized alteration or destruction of Public

Data.

c) Assessing Classification Level and Labeling

The goal of information security, as stated in the Information Security Policy, is to protect
the confidentiality, integrity, and availability of Corporate and Customer Data. Data
To get started, use this data classification policy template and customize it to your needs. Use
this policy to classify customer data, internal communications, and company information by
sensitivity, type, and value.

classification reflects the level of impact to

[COMPANY NAME] if confidentiality, integrity, or
availability is compromised.

If a classification is not inherently obvious, consider each security objective using the
following table as a guide. All data will be assigned one of the following four sensitivity
levels
To get started, use this data classification policy template and customize it to your needs. Use
this policy to classify customer data, internal communications, and company information by
sensitivity, type, and value.
CLASSIFICATION LEVELS
CLASSIFICATION
RESTRICTED
● Highly sensitive information
● Level of protection is dictated externally by legal and/or
contractual requirements
● Must be limited to only authorized employees,
contractors, and business partners with a specific
business need
LABELING: [Example: Every page header states “Restricted”]
CONFIDENTIAL
● Sensitive information
● Level of protection is dictated internally by [COMPANY
NAME]
● Must be limited to only authorized employees,
contractors, and business partners with a specific
business need
LABELING: [Example: Every page header states “Confidential”]
INTERNAL USE
● Non-sensitive Information
● Originating within or owned by [COMPANY NAME], or
entrusted to it by others.
● May be shared with authorized employees,
contractors, and business partners who have a
business need, but may not be released to the general
public, due to the negative impact it might have on the
company’s business interests
LABELING: [Example: Every page header states “Internal Use”]
PUBLIC
● Information that has been approved for release to the
general public
● Freely shareable both internally and externally
LABELING: [Example: No Labeling Necessary]
POTENTIAL IMPACT OF LOSS
SERIOUS DAMAGE would occur if Restricted information
were to become available to unauthorized parties either
internal or external to [COMPANY NAME].
Impact could include negatively affecting [COMPANY
NAME]’s competitive position, violating regulatory
requirements, damaging the company’s reputation, violating
contractual requirements, and posing an identity theft risk.
SIGNIFICANT DAMAGE would occur if Confidential
information were to become available to unauthorized
parties either internal or external to [COMPANY NAME].
Impact could include negatively affecting [COMPANY
NAME]’s competitive position, damaging the company’s
reputation, violating contractual requirements, and exposing
geographic location of individuals.
MODERATE DAMAGE would occur if Internal Use
information were to become available to unauthorized
parties either internal or external to [COMPANY NAME].
Impact could include damaging the company’s reputation
and violating contractual requirements.
NO DAMAGE would occur if Public information were to
become available to parties either internal or external to
[COMPANY NAME].
Impact would not be damaging or a risk to business
operations.
To get started, use this data classification policy template and customize it to your needs. Use
this policy to classify customer data, internal communications, and company information by
sensitivity, type, and value.

HANDLING CONTROLS PER DATA CLASSIFICATION

Handling Controls Restricted Confidential Internal Use Public

Non-Disclosure Required prior to Recommended prior to Not Required Not Required

Agreement (NDA) access by non- access by non-
[COMPANY NAME] [COMPANY NAME]
employees employees

Internal Network ◦ Encryption Required ◦ Encryption ◦ No Requirements ◦ No Requirements

Transmission ◦ Instant Messaging Recommended
(wired & wireless) Prohibited ◦ Instant Messaging
◦ FTP Prohibited Prohibited
◦ FTP Prohibited

External Network ◦ Encryption Required ◦ Encryption Required ◦ Encryption ◦ No special

Transmission ◦ Instant Messaging ◦ Instant Messaging Recommended requirements
(wired & wireless) Prohibited Prohibited ◦ Instant Messaging
◦ FTP Prohibited ◦ FTP Prohibited Prohibited
◦ Remote Access if ◦ FTP Prohibited
Necessary (only with
VPN and two-factor
authorization when
possible)

Data at Rest (file ◦ Encryption Required ◦ Encryption ◦ Encryption ◦ Logical Access

servers, databases, ◦ Logical Access Recommended Recommended Controls Required
archives, etc.) Controls Required ◦ Logical Access ◦ Logical Access (Limit Unauthorized
(Limit Unauthorized Controls Required Controls Required Use)
Use) (Limit Unauthorized (Limit Unauthorized ◦ Physical Access
◦ Physical Access Use) Use) Restricted to
Restricted to ◦ Physical Access ◦ Physical Access Specific groups
Specific Individuals Restricted to Restricted to
Specific groups Specific groups

Mobile Devices ◦ Encryption Required ◦ Encryption Required ◦ Encryption ◦ No Requirements

(iPhone, iPad, USB ◦ Remote Wipe ◦ Remote Wipe Recommended
Drive, etc.) Enablement Enablement ◦ Remote Wipe
Required, if possible Required, if possible Enablement
Recommended, if
possible

Email (with and ◦ Encryption Required ◦ Encryption ◦ Encryption ◦ No Requirements

without ◦ Do Not Forward Recommended Recommended
attachments) ◦ Do not Forward ◦ Do Not Forward

Physical Mail ◦ Mark "Open by ◦ Mark "Open by ◦ Mail with Company ◦ No Requirements
Addressee Only" Addressee Only" Interoffice Mail
◦ Use Courier or ◦ Use "Certified Mail" ◦ US Mail or Other
"Certified Mail" and and Sealed, Public Delivery
Sealed, Tamper- Tamper- Resistant Systems
Resistant Envelopes Envelopes for
for External Mailings External Mailings
To get started, use this data classification policy template and customize it to your needs. Use
this policy to classify customer data, internal communications, and company information by
sensitivity, type, and value.