INFORMATION CLASSIFICATION POLICY

Purpose

COMPANY NAME . Provides fast, efficient, and cost-effective electronic services

for a variety of clients worldwide. As an industry leader, it is critical for COMPANY
NAME . to set the standard for the protection of information assets from
unauthorized access and compromise or disclosure. Accordingly, COMPANY NAME
has adopted this information classification policy to help manage and protect its
information assets.

Scope

COMPANY NAME and its associates (i.e. includes affiliates, third party, vendors,
and outsourcing partners) share in the responsibility for ensuring that organization’s
information assets receive an appropriate level of protection by observing this
policy.

Responsibility

 Department Managers or information ‘owners’ shall be responsible for

assigning classifications to information assets according to the standard
information classification system presented below. (‘Owners” have approved
management responsibility. ‘Owners’ do not have property rights.)
 Where practicable, the information category shall be embedded in the
information itself.
 All COMPANY NAME associates shall be guided by the information category
in their security-related handling of COMPANY NAME information.

Policy
All COMPANY NAME information and all information entrusted to COMPANY NAME
from third parties falls into one of four classifications in the table below, presented
in order of increasing sensitivity.

Information Category Description

Information is not confidential and can be

made public without any implications for
Public COMPANY NAME . Loss of availability due
to system downtime is an acceptable risk.
Integrity is important but not vital.
Information is restricted to internal access
within management approved departments
and protected from external access.
Unauthorized access could influence
COMPANY NAME ’s operational
Internal
effectiveness, cause an important financial
loss, provide a significant gain to a
competitor, or cause a major drop in
customer confidence. Information integrity
is vital.
Information received from clients or
produced within the COMPANY NAME
accessible to a restricted department or
members in any form for processing in
production by COMPANY NAME. The original
Confidential copy of such information must not be
changed in any way without written
permission from the owner (either Client or
the COMPANY NAME ). The highest
possible levels of integrity, confidentiality,
and restricted availability are vital.
Classified Information with a “Top Management Only”
 visibility.
Example: Business Plan

Information labeling and handling (A.7.2.2)

All information assets shall be labeled and handled as per the following schemes.

Table 2: Asset Labeling Scheme

Classification Physical Asset Information Asset

Public Green sticker with ‘P’ Mark ‘Public ’ in
inscribed in it. footers/headers for electronic
Documents. For paper
documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
Documents.
Internal Yellow sticker with ‘I’ Mark ‘INTERNAL’ in
Inscribed in it. footers/headers for electronic
Documents. For paper
documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
Documents.
Confidential Blue sticker with ‘C’ inscribed Mark ‘CONFIDENTIAL’ in
in it. footers/headers for electronic
Documents. For paper
documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
Documents.
classified Red sticker Mark ‘classified ’ in
footers/headers for electronic
Documents. For paper
documents
at least mark the container (e.g
folder, file cabinet), if not
possible to mark the individual
Documents.
 Asset Handling Scheme

Classification Physical Asset Information Asset

Public Availability of standby Availability of backup.
arrangement to meet the
Requirement.
Internal Access restricted to Access restricted to
authorized groups authorized groups.
 Exchange is restricted
among the group.
Confidential  Very strict physical and  Strict physical and
Logical access control. Logical access control.

 Placed in secure zone.  No transmission

Access by authorized through e-mail without
persons only on need to proper Encryption.
Use basis.
 Access by authorized
 Media containing persons only need to
confidential information know basis
(e.g. Hardcopy, CD,
DVD, Hard Disk etc)
shall be securely
erased/destroyed before
disposal.
Classified  Careful handling by  Availability of backup
Authorized persons. both onsite and at
offsite.
 Availability of suitable
and tested BCP  Storing a backup in a
suitable fireproof
cabinet.