1. Purpose

• The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization, so sensitive corporate and customer data can be secured appropriately.

2. Scope

• This policy applies to any form of data, including paper documents and digital data stored on any type of media. It applies to all of the organisation’s employees, as well as to third-party agents authorized to access the data.

3. Definitions

• Data Owners:

The person who is ultimately responsible for the data and information being collected and maintained by his or her department, usually a member of senior management.

• Data Users:

Individuals and organizations that access data and information to perform their tasks & duties in the context of their work with Random Team.

4. Data classification

The categories of classification are:

Restricted: Highly sensitive data that if disclosed to unauthorized persons can can cause permanent damage to Random Team or its customers

Confidential: Sensitive business data that if disclosed to unauthorized persons can harm Random Team, its customers, partners, or employees.

Internal: Information that can be circulated only internally. Unauthorized disclosure of such information can lead to embarrassment and loss of competitive advantage.

Public: Information that can be viewed by anyone outside Random Team (i.e.: location of headquarters etc.)

• Data Owner may wish to assign a single classification to a collection of data that is common in purpose or function.

• When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used.

5. Evaluating Impact

• Data classification reflects the level of impact to Random Team if confidentiality, integrity, or availability is compromised.

• In some situations, the appropriate classification may be more obvious, such as when European laws require Random Team to protect certain types of data (e.g., personally identifiable information).

• If the appropriate classification is not inherently obvious, consider each security objective using the following table as a guide (excerpt from NIST 600-800) which discusses the categorization of information and information systems.

Appendix A : Predefined Restricted Data

• Authentication verifiers:

• Passwords

• Shared secrets

• Cryptographic private keys

• Personally Identifiable Information (PII)

• For our customers’ users:

• Email

• First Name

• Last Name

• IP Addresses

• For Random Team employees only:

• Email

• First Name

• Last Name

• IP Addresses

• Geographical address

• Finance Information (account number, IBAN)

• Social security number

• Phone number

‍