Training Session 2-APPENDIX B - Data Classification and Handling Guidelines

APPENDIX B - Data Classification and Handling Guidelines
Pdf Summary
The Data Classification and Handling Guidelines document establishes Oakleaf’s information security program centered on a four-level data classification scheme: Restricted, Confidential, Private, and Public. Each classification defines sensitivity, examples, potential impact of loss, and specific handling requirements.

<strong>Classifications:</strong>
- <strong>Restricted:</strong> The most sensitive data, often protected by legal or contractual mandates, including Personally Identifiable Information (PII) and Non-Public Information (NPI), such as loan files and certain contracts. Unauthorized disclosure could cause significant damage like regulatory violations, legal exposure, or reputational harm.
- <strong>Confidential:</strong> Internally designated sensitive business information, including employee PII/NPI, accounting, payroll, and financial data. Loss could cause moderate damage affecting competitive position and confidentiality.
- <strong>Private:</strong> Information owned or entrusted to Oakleaf, shared only with authorized parties under business need, with minimal or no damage expected from unauthorized disclosure.
- <strong>Public:</strong> Freely sharable information with no damage expected from disclosure.

<strong>General Principles:</strong>
- All employee-generated information defaults to Private unless otherwise classified.
- When combining data types, the highest classification applies.
- Restricted, Confidential, and Private data must not be publicly disclosed but may be shared with third parties under strict controls, including encryption, access approvals, and NDAs.
- Exceptions to rules require CEO/CISO approval.

<strong>Handling Requirements Include:</strong>
- Encryption and logical/physical access controls for Restricted and Confidential data.
- For Restricted data, storage on mobile devices or cloud is prohibited; printing and faxing are highly restricted or forbidden.
- Confidential data may be stored in secure cloud environments but mobile storage is prohibited.
- Private data requires recommended encryption and access controls with fewer restrictions.
- Public data requires minimal or no special handling.

<strong>PII/NPI Definition:</strong> Data combining name with identifiers like Social Security Number, driver’s license, financial account numbers, or electronic health information.

<strong>Data Examples:</strong> Specific sensitive data types are mapped to classifications, guiding protection for client-related data, employee information, financials, marketing, infrastructure, and strategic data.

The policy is referenced by standards like ISO 27002 and NIST and is approved by Oakleaf’s CEO and CISO, with version control and revision history documented.
Keywords
Data Classification
Information Security
Restricted Data
Confidential Data
Private Data
Public Data
PII
Data Handling Guidelines
Encryption
Access Controls