intelliHR's Data Classification Policy explains the Company’s information labelling and handling guidelines. It should be noted that the sensitivity level definitions were created as guidelines and to emphasise common sense steps that can be taken to protect sensitive or confidential information (e.g., Company Confidential information should not be left unattended in conference rooms). This policy includes, but is not limited to, information that is received, stored, processed, or transmitted via any means. This includes electronic, hardcopy, and any other form of information regardless of the media on which it resides.
Policy
Definitions
- Restricted Data
Restricted information is highly valuable, highly sensitive business information and the level of protection is dictated externally by legal and/or contractual requirements. Personally identifiable information (PII) falls in this category.
- Confidential Data
Confidential information is highly valuable, sensitive business information, and the level of protection is dictated internally by intelliHR.
-
Internal Data
Internal Use information is information originating within or owned by intelliHR, or entrusted to it by others.
- Public Information
Public information is information that has been approved for release to the general public and is freely shareable both internally and externally.
Data Classification Scheme
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact on intelliHR should that data be disclosed, altered, or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of the three following classifications.
Confidential/Restricted Data
Data should be classified as Restricted or Confidential when the unauthorized disclosure, alteration, or destruction of that data could cause a serious or significant level of risk to intelliHR or its customers. Examples of Sensitive data include data protected by state or federal privacy regulations (for example Personal Health Information (PHI) and PII) and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted and Confidential Data: Disclosure or access to Restricted and Confidential data is limited to specific use by individuals with a legitimate need to know. Explicit authorization by the Security Officer or Executive Management MUST be obtained for access because of legal, contractual, privacy, or other constraints. Must be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure. Must be destroyed when no longer needed. Destruction must be in accordance with Company policies and procedures. Will require specific methodologies, procedures, and reporting requirements for the response and handling of incidents.
Internal Use Data
Data should be classified as Internal Use when the unauthorized disclosure, alteration, or destruction of that data could result in a moderate level of risk to intelliHR or its customers. This includes proprietary, ethical, or privacy considerations. Data must be protected from unauthorized access, modification, transmission, storage, or other use. This applies even though there may not be a civil statute requiring this protection. Internal Use Data is restricted to personnel who have a legitimate reason to access it. By default, all data that is not explicitly classified as Restricted/Confidential or Public data should be treated as Internal Use data. Reasonable levels of security controls should be applied to Internal Use Data.
Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to intelliHR and its customers. It is further defined as information with no existing local, national, or international legal restrictions on access or usage. While little or no controls are required to protect the confidentiality of Public data, some level of control MUST be implemented to prevent unauthorized alteration or destruction of Public Data.
Assessing Classification Level and Labelling
The goal of information security, as stated in the Information Security Policy, is to protect the confidentiality, integrity, and availability of Corporate and Customer Data. Data classification reflects the level of impact to intelliHR if confidentiality, integrity, or availability is compromised. If a classification is not inherently obvious, consider each security objective using the following table as a guide. All data are to be assigned one of the following four sensitivity levels:
Classification | Data Classification Description | |
Restricted | Definition | Restricted information is highly valuable, highly sensitive business information and the level of protection is dictated externally by legal and/or contractual requirements. PII falls into this category. Restricted information must be limited to only authorized employees, contractors, and business partners with a specific business need. |
Potential Impact of Loss | SIGNIFICANT DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external to intelliHR. Impact could include negatively affecting intelliHR’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements, and posing an identity theft risk. | |
Confidential | Definition | Confidential information is highly valuable, sensitive business information (i.e. Board of Directors data), and the level of protection is dictated internally by intelliHR. Confidential information must be limited to only authorized employees, contractors, and business partners with a specific business need. |
Potential Impact of Loss | SIGNIFICANT DAMAGE would occur if Confidential information were to become available to unauthorized parties either internal or external to intelliHR. Impact could include negatively affecting intelliHR’s competitive position, damaging the company’s reputation, violating contractual requirements, and exposing the geographic location of individuals. | |
Internal Use | Definition | Internal Use information is information originating within or owned by intelliHR, or entrusted to it by others. Internal Use information may be shared with authorized employees, contractors, and business partners who have a business need, but may not be released to the general public, due to the negative impact it might have on the company’s business interests. |
Potential Impact of Loss | MODERATE DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external to intelliHR. Impact could include damaging the company’s reputation and violating contractual requirements | |
Public | Definition | Public information is information that has been approved for release to the general public and is freely shareable both internally and externally. |
Potential Impact of Loss | NO DAMAGE would occur if Public information were to become available to parties either internal or external to intelliHR. Impact would not be damaging or a risk to business operations. |