Information labelling and Handling ISO 27001:2013

-


        Information Labelling and handling policy 



1) Scope :-
This document lists out the policy for proper Information labelling and handling rules to be followed at “COMPANY NAME”. This policy applies to employees, contractors, consultants, temporary staff and other workers at “COMPANY NAME”, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by “COMPANY NAME”.

2) Purpose :-

The purpose of this information labelling and handling policy is to ensure Data protection, so that important and “COMPANY NAME” business critical records are protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements. This policy states that all information must be properly classified, as per the classification specified in this document, and adequate procedures, as specified here must be followed to ensure that the proper level of protection is used for various criticality levels of information. 

3) Policy Section and Clauses :-

3.1 Information Classification
 
The following classes of information exist, depending on the sensitivity of information, and its importance to the business:

CONFIDENTIAL 
INTERNAL
PUBLIC

Confidential :-

This classification applies to the most sensitive business information, which is intended strictly for use within “COMPANY NAME”. Its unauthorized disclosure could seriously and adversely impact “COMPANY NAME”, its business partners and/or its customers leading to legal and financial repercussions and adverse public opinion.

Example -
Information/Data/Documents.
Salary related documents, correspondence, Employee Records, Statement of accounts, Proposals, estimates, Monthly performance reports, “COMPANY NAME” data, Client’s SLA etc., information security policies and procedures.

Internal :-
Information approved for internal circulation within the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to organization’s credibility. While its unauthorized disclosure is against policy. It may be used freely within the “COMPANY NAME”, and disclosure outside the “COMPANY NAME” is to be done only with clear authorization.

Example -
Training materials, IP address, Internal Operational Procedures etc.


Public :-
This classification applies to information, which has been explicitly approved by “COMPANY NAME” management for release to the public.  There is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm.

Example:-
Website Content, advertisements, job opening announcements, and press releases


Information security policies and procedures documents will be published on “COMPANY NAME” Ltd. intranet portal for benefit of employees and onsite third-party vendors. These documents can also be shared with the clients or customers for audit related requests with a formal management approval.

3.2 Handling Procedures:-

Information can be stored in various ways, including:
Hard drives
USBs
CDs
Print outs

Information can be transmitted in various ways including:
Physically e.g. In hard copy
Over email
Over SFTP 
Over the phone


CONFIDENTIAL
         Storage
Should be clearly labelled as “Confidential” – as footer or cover page of a Word/Excel/Power Point document, or by writing on the CD/external hard disk (if used).
Should not be stored on a Shared Folder (only allowed as per business requirement with restricted access) 
Should be stored on a central file server with strictly restricted access.

      Transmission
Should be encrypted if being transmitted outside the “COMPANY NAME” network.
Should be encrypted if being sent on storage media to a destination outside the “COMPANY NAME” office.

          Disposal
The disk should be cleanly formatted.
The CD (if used) should also be cleanly formatted and broken before disposal.
The hard disk should be cleanly formatted.
Paper documents and reports should be shredded.

INTERNAL
        Storage
Should be clearly labelled as “Internal” – as footer or cover page of a Word/Excel/Power Point document.
May be stored on the File Server with file folder permissions allowing anyone within “COMPANY NAME”’s access to the documents.

         Transmission
Internal information may be transmitted within “COMPANY NAME”, but not outside.

         Disposal
No special requirements


PUBLIC
          Storage
Public information affects the image and reputation of “COMPANY NAME”.
Public information should be checked to make sure it does not damage the reputation, image of “COMPANY NAME”
Information may be declared ‘PUBLIC’ only after authorization from senior management.
Public information may be disclosed on the Internet or in brochures or other forms of public communication.

           Transmission
No special requirements

            Disposal
No special requirements


Every piece of information (printed reports, documents, electronic etc.) must have an owner. The owner of the information is responsible for classifying the document as per the classification described above. The owner must ensure that the document is properly controlled during storage, transmission, and disposal. The owner may decide to downgrade.



3.3 Information Exchange with Third-Parties

At various stages, information produced by the organization needs to be exchanged in various forms with other organizations. The means and methods adopted for exchange of such information must be secured to protect the confidentiality, integrity and availability of such information. 

The controls to for information exchange with third party organizations can be as follows:

1) If the information is classified as Confidential, it must be marked CONFIDENTIAL’ before being transmitted

2) If it is being couriered, then it must be placed in a sealed envelope, and labelled clearly.

3) A confidentiality agreement must be signed with the third parties.

4. Enforcement

Necessary disciplinary action will be taken against any employee not following the policies and procedures laid down by “COMPANY NAME”’s code of conduct. 

Similarly, action will be taken against those employees encouraging/observing such an activity and not reporting the same to the concerned authority.

 Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment as per “COMPANY NAME” code of conduct.

5. ISMS Control Reference

This policy is guided is based on the following clauses in the International security standard ISO 27001:2013

A.8.2.1 Classification of information
A.8.2.2 Labelling of information
A.8.2.3 Handling of assets
A.8.3.1 Management of removable media 
A.8.3.2 Disposal of media 
A.8.3.3 Physical media in transfer
A.18.1.3 Protection of records

6. Definitions and Acronyms
6.1 Definitions

Information Asset-
Anything that has value to the Organization and is either a form of information itself or creates, stores, transmits, or manages information.

Information Security-
Preservation of Confidentiality, Integrity and Availability; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved

Information Security Management System -
The system designed, implemented and maintained for assuring a coherent framework of processes and systems; for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.

“COMPANY NAME” Employee-
Person hired to perform a job or service for “COMPANY NAME”, and one who is directly employed or hired on a contract basis

Customers-
All the clients of the organization who avail services by “COMPANY NAME”.

Vendors-
All third parties which includes, but is not limited to vendors, volunteers, contractors, consultants, temporaries, and others who have access to, support, administer, manage, or maintain “COMPANY NAME”’s information or physical assets

External Storage Media-
All storage devices like USB drives CDs, DVDs, external hard disks, or any other device which has the ability of capturing, storing or transporting data

Users (of Information system of “Company Name” Ltd) -
The meaning of Users in this policy refers to all employees of the organization, (permanent as well as temporary), third parties, contractors, vendors, consultants, volunteers, interns, etc., who use or deal with information assets or other assets of “COMPANY NAME”.

Authorized Persons-
Are defined as people who have established a need and received the necessary authorization from “COMPANY NAME”


6.2 Acronyms

AR- Asset Register

IT- Information Technology


Comments

Post a Comment

Popular posts from this blog

How to implement information security in your organisation

-
Hello Everyone, If you are implementing or planning to implement information security ISO 27001:2013 then this post is for you.  Here are the steps to implement Information security in your Organisation - 1) Find a right ISO implementation partner- It is important to find implementation partner who has completed multiple information security implementations at various organisations. You can also check if your partner has implemented information security in your domain, getting a partner who has already implemented in same domain boosts confidence and provides clarity. 2) Recruit internal employees for Implementation and Audit- Getting in house experienced Iso certified candidates also helps organisations as checker on implementation projects. 3) Train your existing employees- Even though you have right implementation partner and Internal certified Employee to take care of whole process, it is actually employees who are going to follow the policies and i
Read more