Data classification policy
Last revision on March 26, 2024
1. Purpose
The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization, so sensitive corporate and customer data can be secured appropriately.
2. Scope
This policy applies to any form of data, including paper documents and digital data stored on any type of media. It applies to all of the organisation’s employees, as well as to third-party agents authorized to access the data.
3. Definitions
Data Owners:
The person who is ultimately responsible for the data and information being collected and maintained by his or her department, usually a member of senior management.
Data Users:
Individuals and organizations that access data and information to perform their tasks & duties in the context of their work with Random Team.
4. Data classification
The categories of classification are:
Restricted: Highly sensitive data that if disclosed to unauthorized persons can can cause permanent damage to Random Team or its customers
Confidential: Sensitive business data that if disclosed to unauthorized persons can harm Random Team, its customers, partners, or employees.
Internal: Information that can be circulated only internally. Unauthorized disclosure of such information can lead to embarrassment and loss of competitive advantage.
Public: Information that can be viewed by anyone outside Random Team (i.e.: location of headquarters etc.)
Data Owner may wish to assign a single classification to a collection of data that is common in purpose or function.
When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used.
5. Evaluating Impact
Data classification reflects the level of impact to Random Team if confidentiality, integrity, or availability is compromised.
In some situations, the appropriate classification may be more obvious, such as when European laws require Random Team to protect certain types of data (e.g., personally identifiable information).
If the appropriate classification is not inherently obvious, consider each security objective using the following table as a guide (excerpt from NIST 600-800) which discusses the categorization of information and information systems.
Appendix A : Predefined Restricted Data
Authentication verifiers:
Passwords
Shared secrets
Cryptographic private keys
Personally Identifiable Information (PII)
For our customers’ users:
Email
First Name
Last Name
IP Addresses
For Random Team employees only:
Email
First Name
Last Name
IP Addresses
Geographical address
Finance Information (account number, IBAN)
Social security number
Phone number
Last updated