ClientsFirst data integrity, handling and security policy
The purpose of this policy is to establish management direction, procedural requirements, and technical guidance to ensure the appropriate handling of information and data by ClientsFirst staff.
This policy applies to all employees, contractors, consultants, temporary staff, volunteers, and other workers at ClientsFirst, including those workers affiliated with third parties who access ClientsFirst computer networks. Throughout this policy, the word “worker” will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by or administered by ClientsFirst.
Every worker who has access to ClientsFirst information, client information or information systems has an important information security role in the organisation. For example, each one of these workers is personally responsible for the protection of information that has been entrusted to their care. All workers who come into contact with sensitive information are expected to familiarise themselves with this data classification policy and to consistently use these same ideas in their daily ClientsFirst business activities. Sensitive information is either Confidential or Secret information, and both are defined later in this document. Although this policy provides overall guidance, to achieve consistent information protection, workers are expected to apply and extend these concepts to fit the needs of day – to – day operations. This document provides a conceptual model for classifying information based on its sensitivity, and an overview of the required approaches to protect information based on these same sensitivity classifications.
Addresses Major Risks
The ClientsFirst data classification system, as defined in this document, is based on the concept of need to know. This term means that information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information. This concept, when combined with the policies defined in this document, will protect ClientsFirst information from unauthorized disclosure, use, modification, and deletion.
Consistent Approach Required
A single lapse in information security can have significant long-term consequences. Consistent use of this data classification system is essential if sensitive information is to be adequately protected. Without the consistent use of this data classification system, ClientsFirst unduly risks loss of customer relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage. This policy consistently protects sensitive information no matter what form it takes, what technology is used to process it, who handles it, where the information may be located, and in what stage of its life cycle the information may be.
This data classification policy is applicable to all information in the possession or under the control of ClientsFirst. For example, Confidential information entrusted to ClientsFirst by customers, business partners, suppliers, and other third parties must be protected with this data classification policy. Workers are expected to protect third – party information with the same care that they protect ClientsFirst information. No distinctions between the words “data,” “information,” “knowledge,” and “wisdom” are made for purposes of this policy.
System Access Controls
Access to all ClientsFirst sensitive computer-resident information must be protected by access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. Traditional access control systems employ user IDs and fixed passwords, but these are currently being phased out in favour of more secure technologies such as dynamic passwords and biometrics. Whatever technology is employed, access must be controlled for each individual based on that individual’s need to know. The notion of the need to know includes not only viewing information, but other privileges such as modifying information or using information to complete a transaction. ClientsFirst access control systems must log which users accessed what sensitive data, and the time and date of each such access.
Access Granting Decisions
Access to ClientsFirst sensitive information must be provided only after the written authorization of the information Owner has been obtained. Custodians of the involved information must refer all requests for access to the relevant Owners or their delegates. Standard templates of system privileges are defined for all job titles, and Owners approve these privileges in advance. Special needs for other access privileges will be dealt with on a request-by-request basis.
Owners And Production Information
All production information types possessed by or used by a particular organizational unit within ClientsFirst must have a designated Owner. Production information is information routinely used to accomplish business objectives. Examples include payroll summaries, shipping schedules, and managerial cost accounting reports. Information Owners are responsible for assigning appropriate sensitivity classifications as defined below. Owners do not legally own the information entrusted to their care. They are instead designated members of the ClientsFirst management team who act as stewards, and who supervise the ways in which certain types of information are used and protected as described in the Data Ownership Policy.
This classification label applies to the most sensitive business information that is intended for use strictly within ClientsFirst. Its unauthorized disclosure could seriously and adversely impact ClientsFirst, its customers, its business partners, and its suppliers. Examples include merger and acquisition documents, corporate level strategic plans, litigation strategy memos, reports on breakthrough new product research, and Trade Secrets such as certain computer programs.
This classification label applies to less – sensitive business information that is intended for use within ClientsFirst. Its unauthorized disclosure could adversely impact ClientsFirst or its customers, suppliers, business partners, or employees. Information that some people would
consider to be private is included in this classification. Examples include employee performance evaluations, customer transaction data, strategic alliance agreements, unpublished internally – generated market research, computer passwords, identity token personal identification numbers, and internal audit reports.
FOR INTERNAL USE ONLY
This classification label applies to all other information that does not clearly fit into the previous two classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact ClientsFirst or its employees, suppliers, business partners, or its customers. Examples include the ClientsFirst telephone directory, dial – up computer access numbers, new employee training materials, and internal policy manuals.
This classification applies to information that has been approved by ClientsFirst management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases.
Consistent Classification Labelling
If information is sensitive, from the time it is created until the time it is destroyed or declassified, it must be labelled with an appropriate data classification designation. Such markings must appear on all manifestations of the information, such as hard copies, floppy disks, and CD – ROMs. Workers must not remove or change data classification system labels for sensitive information unless the permission of the Owner has been obtained.
What Gets Labelled
The vast majority of ClientsFirst information falls into the Internal Use Only category. For this reason, it is not necessary to apply a label to Internal Use Only information. Information without a label is by default classified as Internal Use Only.
Workers who create or update a collection of information are responsible for choosing an appropriate data classification label for the new collection. This label must be consistent with the decisions made by the relevant Owners and generally should be the most restricted classification level found in the collection. For example, if a new database is being created, and if it contains Internal Use Only and Confidential information, then the entire database must be classified as Confidential. Other examples of such collections include an internally generated competitive intelligence report, management decision background reports, and access-controlled intranet pages. At the time that it is being compiled, every worker creating a new collection of this nature must notify the involved information Owner about the creation of their new collection.
If information recorded on computer storage media with a higher sensitivity classification is moved to media with a lower sensitivity classification, then the media with the lower sensitivity classification must be upgraded so that its classification reflects the highest sensitivity classification. For example, if information labelled Secret were to be placed on a floppy disk containing information with no label, then the floppy disk must immediately be reclassified as Secret. If information with several different data classification levels is resident on a single computer, then the system controls must reflect the requirements associated with most restrictive data classification level. In general, because it increases handling costs and operational complexity, commingling information with different sensitivity classifications is discouraged.
Labels For Externally – Supplied Information
With the exception of general business correspondence and copyrighted software, all externally – provided information that is not clearly in the public domain must receive a ClientsFirst data classification system label. The ClientsFirst worker who receives this information is responsible for assigning an appropriate classification on behalf of the external party. When assigning a ClientsFirst classification label, this staff member must preserve copyright notices, author credits, guidelines for interpretation, and information about restricted dissemination.
All printed, handwritten, or other paper manifestations of sensitive information must have a clearly – evident sensitivity label on the upper right hand corner of each page. If bound, all paper manifestations of sensitive information must have an appropriate sensitivity label on the front cover, the title page, and the rear cover. The cover sheet for faxes containing sensitive information must contain the appropriate classification label. Microfiche and microfilm also must contain labels if they contain sensitive information.
Labelling Computer Storage Media
All CD – ROMs, floppy disks, and other computer storage media containing sensitive information must be externally labelled with the appropriate sensitivity classification. Unless it would adversely affect the operation of an application program, computer files containing sensitive information must also clearly indicate the relevant classification label in the first two data lines.
If information is sensitive, all instances in which it is displayed on a screen or otherwise presented to a computer user must involve an indication of the information’s sensitivity classification. Teleconferences and telephone conference calls where sensitive information will be discussed must be preceded by a statement about the sensitivity of the information involved.
Third – Party Interactions
Third Parties And The Need To Know
Unless it has been specifically designated as Public, all ClientsFirst internal information must be protected from disclosure to third parties. Third parties may be given access to ClientsFirst internal information only when a demonstrable need to know exists, and when such a disclosure has been expressly authorized by the relevant ClientsFirst information Owner. Contractors, consult – ants, temporaries, volunteers and every other type of individual or entity that is not a ClientsFirst employee, is by definition a third party for purposes of this policy.
Disclosures To Third Parties And Non – Disclosure Agreements
The disclosure of sensitive information to consultants, contractors, temporaries, or any other third parties must be preceded by the receipt of a signed ClientsFirst non-disclosure agreement.
Disclosures of ClientsFirst sensitive information to these third parties must be accompanied by a running log indicating exactly what type of information was provided. This log will be important when the time arrives to recover these materials or obtain a letter certifying destruction of the materials at the end of a contract.
Disclosures From Third Parties And Non – Disclosure Agreements
Workers must not sign non-disclosure agreements provided by third parties without the authorization of ClientsFirst legal counsel designated to handle intellectual property matters. These forms may contain terms and conditions that unduly restrict the future business directions of ClientsFirst.
Third-Party Requests For ClientsFirst Information
Unless a worker has been authorized by the information Owner to make public disclosures, all requests for information about ClientsFirst and its business must be referred to Public Relations. Such requests include questionnaires, surveys, and newspaper interviews. This policy does not apply to sales and marketing information about ClientsFirst products and services, nor does it pertain to customer support calls.
If sensitive information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, the information Owner and the manager of the Information Security department must be notified immediately.
Destruction And Disposal
Destruction And Disposal
All ClientsFirst information must be destroyed or disposed of when no longer needed for business purposes. To support this policy, information Owners must review the continued value and usefulness of information on a periodic basis.
Destruction And Locked Boxes
All sensitive information no longer being used or no longer needed must be placed in designated locked metal boxes until such time as authorized ClientsFirst personnel or a bonded destruction service picks it up. If no locked disposal boxes are in the immediate vicinity, sensitive information in hardcopy form must be either shredded or incinerated, while sensitive information in all other forms must be delivered to the Physical Security department for secure destruction. The shredders used for this purpose must create confetti or other similar small particles. Strip – cut shredders must not be used for this purpose. Erasing or reformatting magnetic media such as floppy disks is not an acceptable data destruction method. The use of overwriting programs approved by the Information Security department is permissible as a way to destroy sensitive information on magnetic storage media such as floppy disks. Only after these programs have been used can storage media containing sensitive information be reused, trashed, recycled, or donated to charity.
Workers must not destroy or dispose of potentially important ClientsFirst records or information without specific advance management approval. Unauthorized destruction or disposal of ClientsFirst records or information will subject the worker to disciplinary action including termination and prosecution. Records and information must be retained if they are likely to be needed in the future, regulation or statute requires their retention, or they are likely to be needed for the investigation or prosecution of unauthorized, illegal, or abusive acts. Any questions about data destruction must be referred to the information Owner or the Owner’s delegate.
Workers may destroy ClientsFirst records when approval has been granted by verbal instructions from the Owner or the Owner’s delegate, an Information Security department or Archive department memo detailing the type of records that may be destroyed and when, or the records retention and disposition schedule issued by the Legal department. Destruction is defined as any action that prevents the recovery of information from the storage medium on which it is recorded.
All materials used in the handling of sensitive information, which could be analyzed to deduce sensitive information, must be destroyed in a manner similar to that required for sensitive information. This policy covers typewriter ribbons, carbon paper sheets, mimeograph stencil masters, photographic negatives, aborted computer hardcopy output, and unacceptable photocopies.
All waste copies of Secret information that are generated in the course of copying, printing, or other sensitive information handling must be destroyed according to the instructions found in this policy. If a copy machine jams or malfunctions when workers are making copies of Secret information, the involved workers must not leave the machine until all copies of the information are removed from the machine or destroyed beyond recognition.
Equipment Disposal Or Servicing
Before computer or communications equipment is sent to a vendor for trade, servicing, or disposal, all ClientsFirst sensitive information must be destroyed or concealed according to methods approved by the Information Security department. Internal hard drives and other computer storage media may not be donated to charity, disposed of in the trash, or otherwise recycled unless they have been subjected to overwriting processes approved by the Information Security department.
Access to every office, computer room, and work area containing sensitive information must be physically restricted. Management responsible for the staff working in these areas must consult the Physical Security department to determine the appropriate access control method.
Locked When Not In Use
When not in use, sensitive information must be protected from unauthorized disclosure. When left in an unattended room, such information must be locked in appropriate containers. If a Custodian of such information believes he or she will be away for less than 30 minutes, the information may be left on a desk or in some other readily – observed spot only if all doors and windows to the unattended room are closed and locked.