Security & Compliance
< Back to Article ListIS-02 Information Classification Policy
Last updated: 24 October 2024 at 11:36:19 UTC by Russell Briggs
Information Classification Policy
Document Ref No |
IS-02 |
Version No |
V1 |
Last review date |
14/10/2021 |
Approved by |
Dom Tyler |
Next review |
14/10/2022 |
Contents
1.Purpose, scope and users 3
2.Classified information 3
2.1.Classification of information 3
2.1.1.Classification criteria 3
2.1.2.Confidentiality levels 3
2.1.3.Authorised Persons 4
2.1.4.Reclassification 4
2.2.Information labelling 4
2.3.Handling classified information 4
3.Information Retention 6
4.Document management 6
5.Version history 6
1. Purpose, scope and users
The purpose of this document is to ensure that Recycly information and data is protected at an appropriate level.
This document applies to the entire Information Security Management System (ISMS) scope, i.e. to all types of information, regardless of the form – paper or electronic documents, applications and databases, people's knowledge, etc.
Users of this document are all Recycly employees.
2. Classified information
2.1. Classification of information
2.1.1. Classification criteria
The level of confidentiality is determined based on the following criteria:
● sensitivity and criticality of information
● legal and contractual obligations
2.1.2. Confidentiality levels
All information is classified into confidentiality levels.
Confidentiality level |
Labelling |
Classification criteria |
Access restriction |
Public |
(unlabeled) |
Making the information public cannot harm the organisation significantly |
Reasonable care and consideration |
Confidential |
Confidential |
Unauthorised access to information may cause harm to Recycly and/or to the organisation's reputation. This would include commercially sensitive information, client data, work under NDA, and personal information covered by data protection law. |
This information is available only to individuals in the organisation with a business need and authorised 3rd parties. |
2.1.3. Authorised Persons
Information classified as "Confidential" may only be accessed by persons with a genuine business need. If further clarification is required, the information owner may additionally create a ‘List of Authorised Persons’, in which the information owner specifies the job functions, groups or individuals who are authorised to access that information.
2.1.4. Reclassification
Asset owners must review the confidentiality level of their information assets annually and assess whether the confidentiality level can be changed.
2.2. Information Labelling
Where possible and practical, confidentiality levels should be labelled in the following way:
● paper documents – the confidentiality level is indicated in the footer of each document page; it is also indicated on the front of the cover or envelope carrying such a document, if used.
● electronic documents – the confidentiality level is indicated in the footer, on a cover page/tab or in the file name.
● electronic mail – Confidentiality notice should be included in the footer and subject line of all emails.
● electronic storage media (disks, memory cards, etc.) – the confidentiality level must be indicated on the top surface of such a medium
● information transmitted orally – if it is reasonable to assume that the information receiver would not be aware of the confidentiality level of information, it must be communicated prior to the information itself.
2.3. Handling classified information
All persons accessing classified information must follow the rules listed in the following table. Line management may initiate additional training or disciplinary action each time the rules are breached or if the information is communicated to unauthorised persons. Each incident related to handling classified information must be reported in accordance with the Incident Management Procedure.
Information assets may be taken off-premises only after obtaining authorisation in accordance with the Acceptable Use Policy.
The method for secure erasure and destruction of media is prescribed in the document Disposal and Destruction Policy.
|
CONFIDENTIAL |
Paper documents |
● only Authorised persons may have access ● if sent outside the organisation, the document confidentiality level should be communicated ● documents should only be kept in rooms without public access ● documents must immediately be removed from printers or fax machines ● the document must be stored in a lockable cabinet ● only authorised persons may copy the document ● only the document owner may authorise destruction of the document |
Electronic documents |
● documents must be stored on appropriate systems ● only Authorised persons may have access ● when files are exchanged via services such as FTP, instant messaging, etc., they must be encrypted ● access to the information system where the document is stored must be protected by strong passwords (as defined in the password policy) and 2FA where available ● the screen on which the document is displayed is subject to the clear desk and screen policy ● only persons with authorisation for the document may access the part of the information system where the document is stored ● only the document owner may authorise erasure of the document |
Information systems |
● only Authorised persons may have access ● access to the information system must be protected by a strong password (as defined in the password policy) and 2FA where available ● the screen on which the document is displayed is subject to the clear desk and screen policy ● the information system may only be located in rooms with controlled physical access ● data must be erased only with an algorithm which ensures secure deletion |
Electronic mail |
● only Authorised persons may have access ● the sender must carefully check the recipient ● all rules stated under "Information systems" apply |
Electronic storage media |
● only Authorised persons may have access ● media and files must be encrypted ● the medium may only be kept in rooms with controlled physical access ● media must be stored in a locked cabinet ● only the medium owner may erase or destroy the medium |
Information transmitted orally |
● only Authorised persons may have access to information ● Unauthorised persons must not be present in the room when the information is communicated ● the conversation must not be overheard by unauthorised persons |
3. Information Retention
Information retention is defined by Recycly Data Protection Policies and the legal requirements for specific types of information such as company financial information and personnel records.
Information that has passed the retention period should be disposed of in accordance with the Data Disposal and Destruction Policy.
Claim Type |
Retention Period |
Financial Information |
6 years from the end of the financial year. Reason – legal compliance |
Personnel Records |
6 years from termination or 6 months from unsuccessful application. Reason – legal compliance |
Customer/Client Records |
This should be clearly defined in a contract or data processing agreement. Reason – contractual obligation to data controllers.
|
4. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
5. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
14/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|