Forum

INFORMATION CLASSIF...
 
Notifications
Clear all

INFORMATION CLASSIFICATION MATRIX AND HANDLING GUIDE

1 Posts
1 Users
0 Reactions
7,046 Views
Posts: 108
Topic starter
(@taichi)
Member
Joined: 5 years ago

https://www.iso27001security.com/ISO27k_Information_classification_matrix.xlsx

Note: this classification scheme only relates to the confidentiality of the information.  Similar schemes are feasible for integrity and availability requirements.

 

CATEGORY DESCRIPTION Sample Documents/Records MARKING PHYS & ADMIN CONTROLS REPRODUCTION  DISTRIBUTION DESTRUCTION/ DISPOSAL 
PUBLIC or open Information that may be broadly distributed without causing damage to the organization, its employees and stakeholders.  The [PR Office/Marketing Dept/Information Security Management dept/etc.] must pre-approve the use of this classification.  These documents may be disclosed or passed to persons outside the organization.   Marketing materials authorized for public release such as advertisements, brochures, published annual accounts, Internet Web pages, catalogues, external vacancy notices None None Unlimited No restrictions Recycling/trash
INTERNAL or proprietary Information whose unauthorized disclosure, particularly outside the organization, would be inappropriate and inconvenient.   

Disclosure to anyone outside of [Company name] requires management authorization.

Most corporate information falls into this category.

Departmental memos, information on internal bulletin boards, training materials, policies, operating procedures, work instructions, guidelines, phone and email directories, marketing or promotional information (prior to authorized release), investment options. transaction data, productivity reports, disciplinary reports, contracts, Service Level Agreements, internal vacancy notices, intranet Web pages

“INTERNAL USE ONLY"

Apply to bottom left corner of each page.

Author: responsible for proper markings.

User: responsible for proper storage and document control.

Limited copies may be made only by employees, or by contractors and third parties who have signed an appropriate nondisclosure agreement. Internal: use an internal mail envelope.

External: use a sealed envelope.

Electronic: use internal email system. Encryption is required for transmission to external email addresses.

FAXing: take care over the FAX number!

Paper documents: shred.

Electronic data: erase or degauss magnetic media.  Send CDs, DVDs, dead hard drives, laptops etc. to IT for appropriate disposal

CONFIDENTIAL or restricted Highly sensitive or valuable information, both proprietary and personal.  Must not be disclosed outside of the organization without the explicit permission of a Director-level senior manager. Passwords and PIN codes, VPN tokens, credit and debit card numbers, personal information (such as employee HR records, Social Security Numbers), most accounting data, other highly sensitive or valuable proprietary information  “CONFIDENTIAL"

Apply to bottom left corner of each page.

Originator: responsible for ensuring that confidential information is distributed on a strict need-to-know basis.

Recipient: responsible for ensuring that confidential information is encrypted and/or kept under lock & key when not in use.

Limited copies may be made only by permission of originator or his/her designates. A signed authorization slip will be presented. Internal: use a sealed envelop inside an internal mail envelope.  Hand deliver if possible.
External: use a plain sealed envelope.  Hand deliver or send by registered mail, courier etc.
Electronic: use internal email system only.  Encyrpt data.
FAXing: requires phone confirmation of receipt of a test page immediately prior to sending the FAX, and phone confirmation of full receipt.
Paper documents: shred using an approved cross-cut shredder.

Electronic data: erase or degauss magnetic media.  Send CDs, DVDs, dead hard drives, laptops etc. to IT for appropriate disposal.

 

 

Topic Tags
Share: