Training 4-APPENDIX B - Data Classification and Handling Guidelines

APPENDIX B - Data Classification and Handling Guidelines

Pdf Summary

The document is a guideline for data classification and handling within Oakleaf’s Information Security Program, outlining a four-level data classification scheme: Restricted, Confidential, Private, and Public. The classifications are defined based on the sensitivity and potential impact of unauthorized disclosure.<br /><br />**Restricted Data** is highly sensitive, subject to legal and contract obligations, and includes Personally Identifiable Information (PII) and Non-Public Information (NPI). Unauthorized access could cause significant damage, such as regulatory violations and legal exposure. It requires stringent handling controls like encryption, restricted physical access, prohibition from mobile and cloud storage, and senior management approval for printing.<br /><br />**Confidential Data** is valuable business information, such as employee data and financial details, and is internally classed by Oakleaf. Unauthorized disclosure could result in moderate damage, impacting competitive standing and contractual compliance. Handling includes encryption, restricted access, and secure cloud storage with senior management oversight for certain actions like printing and third-party release.<br /><br />**Private Data** represents Oakleaf’s proprietary information that, if mishandled, poses minimal risk of damage. Encryption is recommended along with logical access controls and specific protocols for distribution and disposal.<br /><br />**Public Data** is freely shared without special handling requirements, posing no risk to the business.<br /><br />Overall, the document specifies general practices, including the default classification of information as Private unless designated otherwise. It emphasizes the importance of maintaining coherent security controls when migrating data to different formats or media, the necessity of senior approval for exceptions, and adhering to client-specific security requirements. Detailed handling requirements for each classification are prescribed to safeguard information integrity across its lifecycle, with appropriate labeling and access rights management to mitigate risk.

Keywords

data classification

information security

restricted data

confidential data

private data

public data

encryption

access controls

data handling

risk mitigation