DATA CLASSIFICATION

POLICY
Document Version 1.5

Koenig Solutions Pvt Ltd

DSM-640-641, 6th Floor, DLF Tower, Shivaji Marg,
Moti Nagar, New Delhi-110015(India)

1
 №: Data Classification Policy - 25
ADMINISTRATIVE
POLICY DATA Effective since: Jan. 1, 2021
Revised: Dec, 2022
CLASSIFICATION

THE PURPOSE
The main goal of this policy is to create a defined framework for data classification purposes. Data
classification should be performed based on the information value, sensitivity and potential impact on
KOENIG SOLUTIONS PVT LTD – all of which is to make sure that both customer data and sensitive
corporate data is safe and secure. Classification of data will help in determining baseline security
controls for the protection of data.

THE SCOPE
This Policy applies to all employees, contractors, and customers of KOENIG SOLUTIONS PVT LTD as well
as any other entity who is authorized to access Institutional Data. The policy is applied to any form of
data within the organization, including both digital data stored on any type of media device, as well as
physical paper documents. It also affects all of the employees in the organization as well as any
third-party providers that have access to the organization’s data.

ROLES AND RESPONSIBILITIES

• Data user – Person, organization, or other entity that interacts with Koenig Solutions data in
some way for the purpose of performing a specific task using that data. Data users are required
to use data for the initial purpose only and should be compliant with both this policy and other
policies that might be applicable to the situation.

• Data custodian – Technically-oriented staff from the IT department tasked with maintaining and
creating backups of various systems, databases, and services within Koenig Solutions Pvt Ltd –
basically, working with anything and everything that stores data. Additionally, the same employees
are responsible for everything about the technical deployment when it comes to various rules set up
by KOENIG SOLUTIONS. The list of responsibilities that a data custodian can have are:

o Compliance – fulfilling the data requirements outlined in the security policy and various
standards, guidelines, and everything else that concerns information security and data
protection

o Data backups – performing regular data backups.

o Data access – Data access is provided to Koenig Solutions employees which is required to
execute tasks with regard to customer service. Different levels of employees like trainers,
sales have different levels of access managed by Koenig’s own RMS (Resource
Management System).

2
 o Activity monitoring – Monitoring and Recording of activities are performed within the
RMS (Resource Management System) of Koenig Solutions

o Data restoration – restoring backed up data from their storage locations.

o Data validation – validating the integrity of backups from time to time.

• Data owner – Koenig solutions management who oversees data management functions related
to the capture, maintenance, and dissemination of data for an operational area. They are
responsible for decisions about the usage of data and following.

DATA CLASSIFICATION
Data classification, in the context of information security, is classified based on its level of sensitivity
and the impact to the KOENIG SOLUTIONS and its customers. This classification of data helps KOENIG
SOLUTIONS determine what baseline security controls are appropriate for safeguarding that data. All
organizational data is classified into one of three sensitivity levels, or classifications:

A. Restricted Data

Data is classified as Restricted when the unauthorized disclosure, alteration, or destruction of that data
could cause a significant level of risk to KOENIG SOLUTIONS and its customers. Examples of Restricted
Data include data protected by state or federal privacy regulations and data protected by confidentiality
agreements. The highest level of security controls are applied to Restricted Data.

B. Private Data

Data is classified as Private when the unauthorized disclosure, alteration, or destruction of that data
could result in a moderate level of risk to KOENIG SOLUTIONS and its customers. By default all
Organizational Data that is not explicitly classified as Restricted or Public Data is treated as Private Data.
A reasonable level of security controls is applied to Private Data.

C. Public Data

Data is classified as Public when the unauthorized disclosure, alteration, or destruction of that data
would result in no risk to KOENIG SOLUTIONS LTD and its customers. Examples of Public Data include
press releases, course information, webinar information and research publications. Little or no controls
are provided to protect the confidentiality of Public Data.

Reclassification
Reevaluation of the classification of Organizational Data is done to ensure that the assigned
classification is still appropriate based on changes to legal and contractual obligations as well as
changes in the use of the data or its value to KOENIG SOLUTIONS LTD and its customers. This evaluation
is to be conducted on an annual basis or when the need arises. If classification of a certain data set has
changed, an analysis of security controls should be performed to determine whether existing controls
are consistent with the new classification. If gaps are found in existing security controls, they should be
corrected in a timely manner, commensurate with the level of risk presented by the gaps.

3
DETERMINING THE IMPACT LEVEL

Security Objective Impact Potential

High Medium Low

Confidentiality. Access Improper disclosure of Improper disclosure of Improper disclosure of

restriction to prevent this kind of this information could this information could
data disclosure in information could cause serious effects cause limited effects to
order to protect cause a negative effect to the organization’s the organization’s
personal information ranging from severe to operations, assets or operations, assets or
and secure catastrophic to the the specific individuals. the specific individuals.
enterprise-level data. organization’s
operations, assets or
the specific individuals.

Integrity. Ensuring the A severe and/or Serious consequences Limited consequences

authenticity of catastrophic are expected from the are expected from the
information by consequences are Unauthorized Unauthorized
protecting it against expected from the modification or modification or
improper modification unauthorized deletion of the specific deletion of the specific
or deletion. modification or data, affecting the data, affecting the
deletion company’s operations, company’s operations,
of the specific data, assets and/or assets and/or
affecting the individuals. individuals.
company’s
operations, assets
and/or individuals.

Availability. Ensure a Problems with access Problems with access Problems with access
reliable access to the to this information or to to
information and the the inability to access this information or the this information or the
ability to use said it in the first place is inability to access it in inability to access it in
information within the expected to have the first place is the first place is
short time span. severe and/or expected to have expected to have
catastrophic serious limited
effects on the effects on the effects on the

4
 company’s company’s company’s
operations, assets operations, assets operations, assets
and/or individuals and/or individuals. and/or individuals.

Questions

If you have questions or concerns regarding this policy or other Information Technology Security
Policies, please contact email at [email protected]

Appendix A: Predefined types of restricted information

KOENIG SOLUTIONS PVT LTD has defined several types of Restricted Data based on
state and federal regulatory requirements. They are defined as follows:

1 Authentication Verifier

An Authentication Verifier is a piece of information that is held in confidence by an individual and used
to prove that the person is who they say they are. In some rare instances, an Authentication Verifier
may be shared amongst a small group of individuals. An Authentication Verifier may also be used to
prove the identity of a system or service. Examples include, but are not limited to:
Passwords
Shared secrets
Cryptographic private keys

2 Payment Card Information

Payment card information is defined as a credit card number (also referred to as a primary account
number or PAN) in combination with one or more of the following data elements:

Cardholder name
Service code
Expiration date
CVC2, CVV2 or CID value
PIN or PIN block
Contents of a credit card’s magnetic stripe

3 Personally Identifiable Education Records

Personally Identifiable Education Records are defined as any Education Records that contain one or
more of the following personal identifiers:

Name of the student

Name of the student’s parent(s) or other family member(s)
Social security number

5
 Student number (KOENIG maintains SCID for each student which is generated by Koenig at the time of
enrollment.)
A list of personal characteristics that would make the student’s identity easily traceable
Any other information or identifier that would make the student’s identity easily traceable

In most cases KOENIG SOLUTIONS only need the name and email address of the person enrolling in
any of our training programmes, webinars etc.

4 Personally Identifiable Information

For the purpose of meeting security breach notification requirements, PII is defined as a person’s first
name or first initial and last name in combination with one or more of the following data elements:

Social security number

State-issued driver’s license number
State-issued identification card number
Financial account number in combination with a security code, access code or password that would
permit access to the account
Medical and/or health insurance information

This information may be needed if you are a KOENIG SOLUTIONS employee. We do not ask for PII
information from our customers.

5 Protected Health Information ("PHI")

PHI is defined as "individually identifiable health information" transmitted by electronic media,

maintained in electronic media or transmitted or maintained in any other form or medium. PHI is
considered individually identifiable if it contains one or more of the following identifiers:
Name
Address (all geographic subdivisions smaller than state including street address, city, county, or pin code)
All elements of dates related to an individual including birth date, admissions date, discharge date, date
of death and exact age if over 89)
Telephone numbers
Fax numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Covid Vaccination Certificate
Vehicle identifiers and serial numbers, including license plate number (for In-premise Parking facility)
Device identifiers and serial numbers
Universal Resource Locators (URLs)
Internet protocol (IP) addresses
Biometric identifiers that includes fingerprint only (For attendance purposes)
Full face photographic images
Any other unique identifying number, characteristic or code that could identify an individual

This information may be needed if you are a KOENIG SOLUTIONS employee. We do not ask for this
information from our customers.