Data Classification Policy
Data Classification Policy
POLICY
Document Version 1.5
1
№: Data Classification Policy - 25
ADMINISTRATIVE
POLICY DATA Effective since: Jan. 1, 2021
Revised: Dec, 2022
CLASSIFICATION
THE PURPOSE
The main goal of this policy is to create a defined framework for data classification purposes. Data
classification should be performed based on the information value, sensitivity and potential impact on
KOENIG SOLUTIONS PVT LTD – all of which is to make sure that both customer data and sensitive
corporate data is safe and secure. Classification of data will help in determining baseline security
controls for the protection of data.
THE SCOPE
This Policy applies to all employees, contractors, and customers of KOENIG SOLUTIONS PVT LTD as well
as any other entity who is authorized to access Institutional Data. The policy is applied to any form of
data within the organization, including both digital data stored on any type of media device, as well as
physical paper documents. It also affects all of the employees in the organization as well as any
third-party providers that have access to the organization’s data.
• Data custodian – Technically-oriented staff from the IT department tasked with maintaining and
creating backups of various systems, databases, and services within Koenig Solutions Pvt Ltd –
basically, working with anything and everything that stores data. Additionally, the same employees
are responsible for everything about the technical deployment when it comes to various rules set up
by KOENIG SOLUTIONS. The list of responsibilities that a data custodian can have are:
o Compliance – fulfilling the data requirements outlined in the security policy and various
standards, guidelines, and everything else that concerns information security and data
protection
o Data access – Data access is provided to Koenig Solutions employees which is required to
execute tasks with regard to customer service. Different levels of employees like trainers,
sales have different levels of access managed by Koenig’s own RMS (Resource
Management System).
2
o Activity monitoring – Monitoring and Recording of activities are performed within the
RMS (Resource Management System) of Koenig Solutions
• Data owner – Koenig solutions management who oversees data management functions related
to the capture, maintenance, and dissemination of data for an operational area. They are
responsible for decisions about the usage of data and following.
DATA CLASSIFICATION
Data classification, in the context of information security, is classified based on its level of sensitivity
and the impact to the KOENIG SOLUTIONS and its customers. This classification of data helps KOENIG
SOLUTIONS determine what baseline security controls are appropriate for safeguarding that data. All
organizational data is classified into one of three sensitivity levels, or classifications:
A. Restricted Data
Data is classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data
could cause a significant level of risk to KOENIG SOLUTIONS and its customers. Examples of Restricted
Data include data protected by state or federal privacy regulations and data protected by confidentiality
agreements. The highest level of security controls are applied to Restricted Data.
B. Private Data
Data is classified as Private when the unauthorized disclosure, alteration, or destruction of that data
could result in a moderate level of risk to KOENIG SOLUTIONS and its customers. By default all
Organizational Data that is not explicitly classified as Restricted or Public Data is treated as Private Data.
A reasonable level of security controls is applied to Private Data.
C. Public Data
Data is classified as Public when the unauthorized disclosure, alteration, or destruction of that data
would result in no risk to KOENIG SOLUTIONS LTD and its customers. Examples of Public Data include
press releases, course information, webinar information and research publications. Little or no controls
are provided to protect the confidentiality of Public Data.
Reclassification
Reevaluation of the classification of Organizational Data is done to ensure that the assigned
classification is still appropriate based on changes to legal and contractual obligations as well as
changes in the use of the data or its value to KOENIG SOLUTIONS LTD and its customers. This evaluation
is to be conducted on an annual basis or when the need arises. If classification of a certain data set has
changed, an analysis of security controls should be performed to determine whether existing controls
are consistent with the new classification. If gaps are found in existing security controls, they should be
corrected in a timely manner, commensurate with the level of risk presented by the gaps.
3
DETERMINING THE IMPACT LEVEL
Availability. Ensure a Problems with access Problems with access Problems with access
reliable access to the to this information or to to
information and the the inability to access this information or the this information or the
ability to use said it in the first place is inability to access it in inability to access it in
information within the expected to have the first place is the first place is
short time span. severe and/or expected to have expected to have
catastrophic serious limited
effects on the effects on the effects on the
4
company’s company’s company’s
operations, assets operations, assets operations, assets
and/or individuals and/or individuals. and/or individuals.
Questions
If you have questions or concerns regarding this policy or other Information Technology Security
Policies, please contact email at [email protected]
KOENIG SOLUTIONS PVT LTD has defined several types of Restricted Data based on
state and federal regulatory requirements. They are defined as follows:
1 Authentication Verifier
An Authentication Verifier is a piece of information that is held in confidence by an individual and used
to prove that the person is who they say they are. In some rare instances, an Authentication Verifier
may be shared amongst a small group of individuals. An Authentication Verifier may also be used to
prove the identity of a system or service. Examples include, but are not limited to:
Passwords
Shared secrets
Cryptographic private keys
Payment card information is defined as a credit card number (also referred to as a primary account
number or PAN) in combination with one or more of the following data elements:
Cardholder name
Service code
Expiration date
CVC2, CVV2 or CID value
PIN or PIN block
Contents of a credit card’s magnetic stripe
Personally Identifiable Education Records are defined as any Education Records that contain one or
more of the following personal identifiers:
5
Student number (KOENIG maintains SCID for each student which is generated by Koenig at the time of
enrollment.)
A list of personal characteristics that would make the student’s identity easily traceable
Any other information or identifier that would make the student’s identity easily traceable
In most cases KOENIG SOLUTIONS only need the name and email address of the person enrolling in
any of our training programmes, webinars etc.
For the purpose of meeting security breach notification requirements, PII is defined as a person’s first
name or first initial and last name in combination with one or more of the following data elements:
This information may be needed if you are a KOENIG SOLUTIONS employee. We do not ask for PII
information from our customers.
This information may be needed if you are a KOENIG SOLUTIONS employee. We do not ask for this
information from our customers.