Security & Compliance

< Back to Article List

IS-02 Information Classification Policy

Last updated: 24 October 2024 at 11:36:19 UTC by Russell Briggs

Information Classification Policy

 

 

 

Document Ref No

IS-02

Version No

V1

Last review date

14/10/2021

Approved by

Dom Tyler

Next review

14/10/2022


 

Contents

1.Purpose, scope and users                                                                                                               3

2.Classified information                                                                                                                     3

2.1.Classification of information                                                                                               3

2.1.1.Classification criteria                                                                                                         3

2.1.2.Confidentiality levels                                                                                                          3

2.1.3.Authorised Persons                                                                                                           4

2.1.4.Reclassification                                                                                                                   4

2.2.Information labelling                                                                                                              4

2.3.Handling classified information                                                                                          4

3.Information Retention                                                                                                                     6

4.Document management                                                                                                                     6

5.Version history                                                                                                                                   6

 

 

 

 

 


 

1.    Purpose, scope and users

The purpose of this document is to ensure that Recycly information and data is protected at an appropriate level.

This document applies to the entire Information Security Management System (ISMS) scope, i.e. to all types of information, regardless of the form – paper or electronic documents, applications and databases, people's knowledge, etc.

Users of this document are all Recycly employees.

 

2.    Classified information

2.1.         Classification of information

2.1.1.     Classification criteria

The level of confidentiality is determined based on the following criteria:

       sensitivity and criticality of information

       legal and contractual obligations

2.1.2.     Confidentiality levels

All information is classified into confidentiality levels.

Confidentiality level

Labelling

Classification criteria

Access restriction

Public

(unlabeled)

Making the information public cannot harm the organisation significantly

Reasonable care and consideration

Confidential

Confidential

Unauthorised access to information may cause harm to Recycly and/or to the organisation's reputation.

This would include commercially sensitive information, client data, work under NDA, and personal information covered by data protection law.

This information is available only to individuals in the organisation with a business need and authorised 3rd parties.

 

 

2.1.3.     Authorised Persons

Information classified as "Confidential" may only be accessed by persons with a genuine business need. If further clarification is required, the information owner may additionally create a ‘List of Authorised Persons’, in which the information owner specifies the job functions, groups or individuals who are authorised to access that information.

2.1.4.     Reclassification

Asset owners must review the confidentiality level of their information assets annually and assess whether the confidentiality level can be changed. 

2.2.         Information Labelling

Where possible and practical, confidentiality levels should be labelled in the following way:

       paper documents – the confidentiality level is indicated in the footer of each document page; it is also indicated on the front of the cover or envelope carrying such a document, if used.

       electronic documents – the confidentiality level is indicated in the footer, on a cover page/tab or in the file name.

       electronic mail – Confidentiality notice should be included in the footer and subject line of all emails.

       electronic storage media (disks, memory cards, etc.) – the confidentiality level must be indicated on the top surface of such a medium

       information transmitted orally – if it is reasonable to assume that the information receiver would not be aware of the confidentiality level of information, it must be communicated prior to the information itself.

2.3.         Handling classified information

All persons accessing classified information must follow the rules listed in the following table. Line management may initiate additional training or disciplinary action each time the rules are breached or if the information is communicated to unauthorised persons.  Each incident related to handling classified information must be reported in accordance with the Incident Management Procedure.

Information assets may be taken off-premises only after obtaining authorisation in accordance with the Acceptable Use Policy.

The method for secure erasure and destruction of media is prescribed in the document Disposal and Destruction Policy.

 

CONFIDENTIAL

Paper documents

   only Authorised persons may have access

   if sent outside the organisation, the document confidentiality level should be communicated

   documents should only be kept in rooms without public access

   documents must immediately be removed from printers or fax machines

   the document must be stored in a lockable cabinet

   only authorised persons may copy the document

   only the document owner may authorise destruction of the document

Electronic documents

   documents must be stored on appropriate systems

   only Authorised persons may have access

   when files are exchanged via services such as FTP, instant messaging, etc., they must be encrypted

   access to the information system where the document is stored must be protected by strong passwords (as defined in the password policy) and 2FA where available

   the screen on which the document is displayed is subject to the clear desk and screen policy

   only persons with authorisation for the document may access the part of the information system where the document is stored

   only the document owner may authorise erasure of the document

Information systems

   only Authorised persons may have access

   access to the information system must be protected by a strong password (as defined in the password policy) and 2FA where available

   the screen on which the document is displayed is subject to the clear desk and screen policy

   the information system may only be located in rooms with controlled physical access

   data must be erased only with an algorithm which ensures secure deletion

Electronic mail

   only Authorised persons may have access

   the sender must carefully check the recipient

   all rules stated under "Information systems" apply

Electronic storage media

   only Authorised persons may have access

   media and files must be encrypted

   the medium may only be kept in rooms with controlled physical access

   media must be stored in a locked cabinet

   only the medium owner may erase or destroy the medium

Information transmitted orally

   only Authorised persons may have access to information

   Unauthorised persons must not be present in the room when the information is communicated

   the conversation must not be overheard by unauthorised persons

 

 

3.    Information Retention

Information retention is defined by Recycly Data Protection Policies and the legal requirements for specific types of information such as company financial information and personnel records.

Information that has passed the retention period should be disposed of in accordance with the Data Disposal and Destruction Policy.

Claim Type

Retention Period

Financial Information

6 years from the end of the financial year.

Reason – legal compliance

Personnel Records

6 years from termination or 6 months from unsuccessful application.

Reason – legal compliance

Customer/Client Records

This should be clearly defined in a contract or data processing agreement.

Reason – contractual obligation to data controllers.

 

 

 

4.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

 

5.    Version history

Summary of Change

Date of Change

Author

Version No

First Draft

14/10/2021

Dom Tyler

1