Sunday, November 13, 2011

INFORMATION SENSITIVITY POLICY


INFORMATION SENSITIVITY POLICY

By John Kyriazoglou* (author’s credentials at the end of this document)

The primary objective of the Information Sensitivity Policy is to provide guidelines for the data classification issues of information collected and processed by information systems activities of an organization. This example may be used for educational purposes only and it should be amended to suit the particular organization’s legal and regulatory requirements and operating conditions, before it is put to effective use and is implemented in a real environment. The author assumes no responsibility whatsoever for the contents, suitability and accuracy of this policy.

An example of such a policy is described next.

  Company ‘XYZ-Fictitious Enterprise Corporation’ Information Sensitivity Policy

1. Purpose

The Information Sensitivity Policy of ‘XYZ-Fictitious Enterprise Corporation’ (referred to as Company, from now on), is intended to help management and staff of a corporate entity determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of <Company Name> without proper authorization.

2. Coverage

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

3. Classification Definitions

All <Company> information is categorized into three main classifications: <Company> Public, or <Company> Confidential, or <Company> Restricted.

<Company> Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to < Company>.

<Company> Confidential contains all other information that is not public or restricted such as information stored in computer files and network servers, telephone directories, general corporate information, personnel information, etc., which is, however, critical to the every-day activities of the company.  

<Company> Restricted contains information that is more sensitive than other information, and should be protected in a more secure manner. This information includes: trade secrets, development programs, patents, copyrighted material, potential acquisition targets, and other information integral to the success of the company.

This classification, for all digital and non-digital information of the organization, should be carried out initially and reviewed and improved periodically by a management mechanism that includes: (a) Information Owners, (b) Information Systems Managers, and (c) Security Manager, with the support and advice of other corporate officers, such as data privacy officer, compliance officer, etc.

4. Encryption of Information

All <Company> Confidential and <Company> Restricted information should be encrypted in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Corporate guidelines on export controls on cryptography should be followed. For more details consult your manager and/or corporate legal services for further guidance.

5. Sensitivity Guidelines

The Sensitivity Guidelines below provide details on how to protect information at varying sensitivity levels.

5.1. <Company> Public: This relates to general corporate information, some personnel and technical information of a generalized nature.

Access: This information should be allowed to <Company> employees, contractors, and people with a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls where possible and appropriate.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed.



5.2. <Company> Confidential: Business, financial, technical, and most personnel information.

Access: This information should be allowed to <Company> employees, contractors, and people with signed non-disclosure agreements who have a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed. All these actions should be authorized, recorded and reported.



5.3. <Company> Restricted: Trade secrets & marketing, operational, personnel, financial, source program code, & technical information integral to the success of <Company Name>.

Access: This information should be allowed to <Company> staff with signed non-disclosure agreements who have a specific board authorization. All accesses to this type of information should be recorded and reported.

Distribution within <Company>: This information should be delivered directly to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Distribution outside of <Company> internal mail:  This information should be delivered directly, by approved private carriers, to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Storage: Individual access controls to this information should be enforced for electronic information. Appropriate physical security measures should be used, and information should be encrypted and stored in a physically secured computer.

Disposal/Destruction: This information should be physically destroyed by paper shredders, and other specialized digital crunching devices. Digital media should be cleared and erased before disposal. All these actions should be authorized, recorded and reported.



6. Business Connections

Access to <Company> computers and information systems by business partners, competitors and unauthorized external personnel must be restricted so that, in the event of an attempt to access <Company> corporate information, the amount of information at risk is minimized. Connections may be set up to allow others (business partners, etc.) to see only what they need to see only when specifically authorized by the board. Unauthorized personnel should only have access to information classified as <Company> Public, upon recording their details and their needs for accessing this information. This involves setting up both applications and network configurations to allow access to only what is necessary. All these actions should be recorded and reported.



7. Penalties

The penalty for deliberate or inadvertent disclosure of any information by any staff member (management, board, professional staff, line employee, etc.) found to have violated this policy may include disciplinary action, up to and including termination of employment, possible civil and/or criminal prosecution to the full extent of the law.

8. Responsibility of management  

All <Company> personnel should use these guidelines in securing <Company> Restricted and <Company> Confidential information to the proper extent possible. All department heads are responsible to supervise the classification activities of all the information managed by their function. A register of such files should be maintained and reported to the senior management of the company. If a manager is not certain of the classification to be applied, he or she should contact a higher level of authority (such as CEO, Ethics Committee, Compliance Committee, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

9. Responsibility of staff  

If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager. If an employee feels that their manager is not following these guidelines, he or she should contact a higher level of authority (such as CEO, Compliance Committee, Ethics Office, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

10. Responsibility of Compliance Officer  

It is the responsibility of the compliance officer to provide guidance to all personnel on the use of these guidelines, and ensure that these guidelines are complied with. The compliance officer should also report to both the compliance committee and the board, on the basis of the company’s reporting standards, all compliance related activities.

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.


Profiles





Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/

1 comment: