Information Classification and Protection

Policy

Template

This template is part of ISACA’s Policy Template Library Toolkit. The policy
template should be modified to ensure it conforms to the control posture and
reflects the risk tolerance of the specific enterprise environment.

FOR INTERNAL USE ONLY 1

POLICY NAME Information Classification and Protection Policy
Ensure that information is classified and protected at the appropriate level and in
DESCRIPTION
accordance with its importance to the organization.

OWNER Chief information officer (CIO)

EFFECTIVE DATE Immediately

REVIEW FREQUENCY At least annually

INTRODUCTION

Purpose for Policy

The purpose of this policy is to identify and classify Company LLC’s information based on sensitivity in
order to implement appropriate security controls.

Scope of Policy
This policy applies to:
a) All Company LLC employees, contractors, consultants, temporary staff, interns, and personnel
affiliated with third parties
b) All locations where IT resources are used
c) All Company LLC, affiliate, or third-party IT resources
d) ALL sensitive/confidential digital or nondigital information for which Company LLC, affiliates,
and/or third parties are in possession
e) All devices connected to Company LLC, affiliate, or third-party network(s)
f) All remote workers

Exceptions
Any exceptions to this policy require submission and approval of appropriate documentation in
accordance with the established policy exception process “xxxxx.” Exceptions deemed high risk will be
escalated to and reviewed by the “xxxxx Risk Forum” and recorded in the risk register.

FOR INTERNAL USE ONLY 2

GUIDELINES AND REQUIREMENTS

1. Information Classification
 All company information assets must be classified by information owners using an appropriate
method.
 Company information must be protected based on the level of classification.
 Information must be classified according to sensitivity (public, internal use, or restricted or
confidential) and restricted based on job responsibilities.
o Public—Information intended for public dissemination that has no restrictions on its
accessibility. Unauthorized disclosure poses minimal risk to the organization.
o Internal use—Information intended for internal use only. Access is restricted, and
disclosure is only allowed on a need-to-know basis. Disclosure to external parties requires
proper authorization. Disclosure could have a moderate impact on the organization.
o Restricted—Extremely sensitive information with a high potential for severe impact if
disclosed. Access to this information is limited on a strictly need-to-know basis.
Unauthorized disclosure would result in significant harm to the organization.

2. Information Responsibilities
 Information owners must determine the appropriate value of information, classify information
associated with business processes, and report to the chief information officer (CIO) to map
protection and access measures appropriately.
 The CIO is responsible for ensuring the appropriate controls are in place for the
category/classification of each data set that Company LLC can access.
 The rules and expectations for how third parties handle Company LLC information must be
defined and communicated.
 Communication channels for disseminating these rules to third parties must be established and
maintained.
 Information custodians must implement information classification guidance.

3. Information Governance
 The information protection office is designated as the primary entity responsible for upholding
and enforcing compliance with this policy.

4. Information Breach
 Information breach incidents must be reported to the information protection office within 72
hours or immediately after confirmation.
 The information protection office must report information breach incidents to the appropriate
internal stakeholders and external regulatory and legal authorities.

5. Information Quality
 An information quality plan must be developed and maintained to ensure data fitness for the
purpose.
 Information quality procedures must be established to ensure information is fit for
consumption and meets the needs of consumers.
 Information cleansing practices must be defined to ensure processes and methods used to
validate and correct the information are in place.

FOR INTERNAL USE ONLY 3

 6. Data Architecture
 The enterprise architecture and data platform must facilitate data management practices,
reduce redundancies, ensure system availability, and enable data integrity through data
integration.
 Architectural standards that consider external compliance and integration requirements must
be developed, reviewed, approved, and maintained by a designated organizational governance
body (e.g., architecture board).

7. Data Encryption
 Encryption standards must be defined and implemented to protect data at rest and in transit
based on sensitivity.

8. Data/Information Storage
 Electronic data/information stored in electronic media must be protected with a minimum level
of authentication according to authentication mechanisms (e.g., strong passwords, passphrase,
biometrics, OTP, etc.).Data must be backed up according to the data backup policies of
Company LLC.
 Nonelectronic media, e.g., physical documents that contain information/data, must be stored in
closed containers such as file cabinets and closed storage areas where physical controls are in
place to protect from unauthorized access/theft/destruction.

9. Data Backups
 Data must be backed up according to the data backup policies of Company LLC.

10. Information/Data Retention and Destruction

 All specified information classified by Company LLC must be stored in accordance with the
company’s information retention policy.
 Information that is no longer required to be maintained (i.e., expired) must be destroyed in
accordance with Company LLC media policy and standards.
 Information owners must be consulted prior to information destruction, as their own
requirements may extend the retention period of certain information, superseding Company
LLC’s information retention policy.

11. Training or Awareness Program

 Employees must attend data protection training annually. This comprehensive training program
should cover the organization’s information classification policy, data security controls, and the
consequences of noncompliance. The training completion rates must be closely monitored.

FOR INTERNAL USE ONLY 4

ROLES AND RESPONSIBILITIES

1. The Company LLC board, audit and risk committee, and IT committee are ultimately accountable
for the management of information protection risk associated with computer systems and are
supported by the senior leadership team (SLT) and chief operating officer (COO), who oversee the
data protection strategy, funding, and resourcing.

2. The chief information officer (CIO) has the authority to:

a. Establish information protection policies, standards, and guidelines.
b. Assign management responsibilities for data protection processes.
c. Communicate information classification to all relevant parties and internal and external
stakeholders.

3. The chief information security officer (CISO) is accountable for:

a. Management of overall Company LLC system information protection risk
b. Providing system information protection advice and user awareness
c. Designing and implementing the Company LLC system information protection strategy
d. Managing system information protection incidents

4. Company LLC senior management is accountable for the management of system information
protection within their area of responsibility.

5. Information resource owners are responsible for:

a. Assessing, reporting, and escalating system information protection risk associated with their IT
resources
b. Assessing and managing system information protection risk associated with their system
information protection service providers
c. Overseeing all access to their IT resources
d. Management assurance over their system information protection controls

CONSEQUENCES OF POLICY VIOLATIONS

Breaches of this policy and/or the Code of Conduct shall be considered grounds for disciplinary action up
to and including dismissal.

QUESTIONS/CONTACT INFORMATION

For questions about the Information Classification and Protection Policy or any material addressed
herein, please email the CIO Policy group (or Information Security or CISO group) at
[email protected].

FOR INTERNAL USE ONLY 5

DOCUMENT INFORMATION
Document
Z:\Policies & Procedures\Policies\IT Policies
Location

VERSION HISTORY
Version Date Author Additional Information

V1.0 xx/xx/xx

DOCUMENT REVIEW
Version Date Reviewed By Additional Information
V1.0 Approved

FOR INTERNAL USE ONLY 6