Communications and Operations Management

Domains: Asset Classification and Control

Communications and Operations Management

Physical and Environmental Security

Information Security Incident Management

POLICY STATEMENT

1. IS Responsibility -- All IS workers who come into contact with delicate (Blanks) internal details are required to familiarize themselves with this data classification policy and to continually use these same ideas in their daily (Blanks) business activities. Sensitive details is either Private or Limited details, and both are described later in this document. Although this plan provides overall assistance, to achieve consistent information protection, IS workers are required to apply and increase these ideas to fit the needs of day-to-day functions. This document provides a conceptual model for IS for identifying details depending on its sensitivity, and an overview of the required approaches to protect information depending on these same sensitivity classifications.

2. Addresses Major Risks -- The IS data classification system, as described in this document, is in accordance with the idea of need to know. This term indicates that information is not revealed to any individual who does not have a legitimate and demonstrable business need to receive the information. This idea, when combined with the guidelines described in this document, will protect (Blank) details from unauthorized disclosure, use, modification, and deletion.

3. Applicable Information -- This data classification policy is appropriate to all electronic information for which IS is the custodian.

PROCEDURES

1. Access Control

a. Need to Know -- Each of the policy requirements set forth in this document are in accordance with the idea of need to know. If an IS worker is uncertain how the requirements set forth in this plan should be used to any particular circumstance, he or she must cautiously implement the need to know idea. That is to say that details must be revealed only to those individuals who have a legitimate business need for the information.

b. System Access Controls -- The proper controls shall be in place to verify the identity of users and to confirm each person's permission before enabling the user to access information or services on the system. Data used for authentication shall be secured from illegal accessibility. Controls shall be in place to ensure that only employees with the appropriate permission and a need to know are provided access (Blanks) systems and their resources. Remote access shall be managed through identification and authentication mechanisms.

c. Access Granting Decisions -- Access to (Blank) sensitive details must be provided only after the written permission of the Data Owner has been obtained. Access requests will be presented to the data owner using the Access Request template. Custodians of the involved information must refer all requests for access to the relevant Owners or their associates. Special needs for other access rights will be handled on a request-by-request basis. The list of individuals with access to Private or Restricted data must be analyzed for accuracy by the appropriate Data Owner according to a system review schedule approved by the VP, Director of Information Services and the AVP, Director of Risk Management.

2. Information Classification

a. Owners and Production Information -- All electronic information handled by IS must have a specific Owner. Production information is information regularly used to achieve business goals. Owners should be at the VP stage or above. Owners are accountable for giving appropriate sensitivity classifications as described below. Owners do not lawfully own the details entrusted to their proper care. They are instead designated affiliates of the (Blank) control group who act as stewards, and who manage the methods in which certain kinds of details are used and protected.

b. RESTRICTED -- This category refers to the most delicate company information that is designed for use totally within (Blank). Its unauthorized disclosure could seriously and negatively affect (Blank), its clients, its associates, and its suppliers.

c. CONFIDENTIAL -- This category refers to less-sensitive company information that is designed for use within (Blank). Its unauthorized disclosure could negatively affect (Blank) or its customers, providers, associates, or employees.

d. PUBLIC -- This classification

...