EBSCO Industries Data Classification and Handling Policy PDF
Document Details
Uploaded by Deleted User
Tags
Related
Summary
This document is an EBSCO Industries publication outlining a data classification and handling policy. It defines how data is categorized, handled, and protected based on its importance. The document covers aspects such as data classification criteria, policy provisions, and enforcement procedures.
Full Transcript
DATA CLASSIFICATION AND HANDLING POLICY EBSCO Industries Publication Abstract Designed to define how data is identified, classified, labeled, properly handled, an...
DATA CLASSIFICATION AND HANDLING POLICY EBSCO Industries Publication Abstract Designed to define how data is identified, classified, labeled, properly handled, and protected in accordance with its importance and potential impact to EBSCO Industries Inc.. CorpIT Information Security CORPORATE IT - INFORMATION SECURITY Data Classification and Handling Policy Contents 1. Purpose............................................................................................................... 2 2. Scope................................................................................................................... 2 3. Review Frequency.............................................................................................. 2 4. Document References........................................................................................ 2 5. Definitions........................................................................................................... 2 6. Policy Provisions................................................................................................ 3 7. Changes.............................................................................................................. 4 8. Enforcement........................................................................................................ 4 9. Policy Priority..................................................................................................... 4 10. Monitoring........................................................................................................... 4 Page 1 of 4 CORPORATE IT - INFORMATION SECURITY Data Classification and Handling Policy 1. Purpose This policy establishes the framework and guidelines for classifying and handling data within the organization to ensure its confidentiality, integrity, and availability in accordance with its importance and potential impact to EBSCO Industries Inc. (Company). Data must be properly handled throughout its entire lifecycle, from creation to disposal. The importance of such information varies and therefore requires different levels of protection. 2. Scope This policy applies to all people, processes and technology that constitutes the Company Information systems, including board members, directors, employees, suppliers and other third parties who have access to Company systems. 3. Review Frequency This document is reviewed annually or upon significant changes to the organization, business, or customer environments. 4. Document References 4.1 Data Classification and Handling Manual 4.2 Media Sanitization and Disposal Policy. 4.3 Information Security Policy 5. Definitions 5.1. Public: Data that is open to public consumption and readily available through public sources. 5.2. Internal: Data that is not intended to be shared with the public and should generally not be disclosed outside the Company, such as internal emails and documentation not otherwise categorized as Confidential or Restricted. By default, Company data is considered at least Internal, unless it rises to the level of Confidential or Restricted. 5.3. Confidential: Data that could adversely affect the Company or an individual if made available to unauthorized parties, such as the technical specifications of a new product or Company financial information. This also includes information the Company has a contractual, legal, or regulatory obligation to keep confidential but does not rise to the level of Restricted. 5.4. Restricted: Data that the Company has a contractual, legal, or regulatory obligation to safeguard in the most stringent manner. This includes personal information that, in some cases, could require notifications to affected individuals or authorities in the case of unauthorized disclosure or loss of this data. 5.5. Principle of Least Privilege: A fundamental security concept that emphasizes restricting access rights and permissions for users, processes, or systems to the minimum level necessary to perform their legitimate tasks or functions. Page 2 of 4 CORPORATE IT - INFORMATION SECURITY Data Classification and Handling Policy 6. Policy Provisions 6.1. Data Classification 6.1.1. Criteria for classifying data shall include the level of confidentiality, the degree of access control required, the potential impact of unauthorized disclosure, and the regulatory or contractual obligations associated with the data. 6.1.2. All employees are responsible for: 6.1.3.1. Understanding what constitutes Public, Internal, Confidential, and Restricted information. 6.1.3.2. Managing information consistent with the criticality of and the requirements for confidentiality and integrity associated with the data. 6.1.3. All Company information whether at rest or in transit must be classified into one of the four data classification categories. 6.1.4. Employees shall receive training annually and guidance on data classification policies, including examples of data types and scenarios for each classification level, to ensure consistent application of classification criteria. 6.1.5. The organization will establish mechanisms for monitoring and auditing compliance with data classification policies to ensure adherence to established guidelines and procedures. 6.1.6. Regular reviews of access logs, security incidents, and data handling practices shall be conducted to identify deviations from policy requirements and potential security risks. 6.2. Data Handling 6.2.1. Access to data shall be restricted to authorized personnel based on the Principle of Least Privilege. 6.2.2. All data must be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure. 6.2.3. Encryption mechanisms shall be used to protect data from unauthorized access or disclosure. Data storage solutions shall adhere to industry best practices and compliance requirements, ensuring data integrity and protection. 6.2.4. All data must be destroyed in accordance with the company’s Media Sanitization and Disposal Policy. 6.2.5. Any unauthorized disclosure, theft, or loss of Internal, Confidential, or Restricted data must be immediately reported to Corporate Information Security. 6.2.6. Non-disclosure agreements are required when working with third-party vendors before Internal, Confidential, and Restricted data is shared outside the Company. Page 3 of 4 CORPORATE IT - INFORMATION SECURITY Data Classification and Handling Policy 7. Changes This policy may change at any time to ensure data protection is maintained effectively. Current versions will be maintained in PolicyTech unless another type of notice is required by applicable laws. 8. Enforcement Failure to comply with these guidelines as well as any applicable Company policies, procedures, security controls or applicable regulations could result in disciplinary action against the individual including verbal or written warnings, removal of system access, reassignment to other duties, suspension, termination, and criminal or civil prosecution. Employees may report any violations or concerns related to this Policy through the Corporate IT GRC Department or the Legal Department without fear of retaliation. 9. Policy Priority This corporate policy takes precedence over all policies derived from or published by business units or other EBSCO affiliated companies. In the event of a conflict between terms of the policies, the corporate policy will apply. 10. Monitoring Corporate Information Security will verify compliance of this policy through various methods, including periodic review, business tool reports, internal and external audits, and feedback to the policy owner. Page 4 of 4