Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mysale Information Classification 101

Published byStephen Snow Modified over 5 years ago

Similar presentations

Presentation on theme: "Mysale Information Classification 101"— Presentation transcript:

1 Mysale Information Classification 101
How to classify and label Mysale Group Information and Data Sensitivity: PUBLIC Date: Class: COMPANY DATA Owner: CISO

2 Why do we need to classify information and data?
Not all information and data are equal We need to ensure that sensitive information does not leak out by error, or without authorisation We need to know which systems the sensitive information is stored at to protect them correspondingly, and who are its owners who can grant access to others It is needed to be certified to both PCI DSS and ISO27001

3 Our Classification Levels
Information authorised for release to the general public Public Information that is limited to everyone at Mysale Group Internal Information that is limited to specific departments, teams or people Confidential Information restricted to senior managers /directors only Highly Confidential

4 Other Security Label Content
Owner, responsible for creation, updates, and granting access to the document Owner is a role, not an employees name! Been a document owner does not imply any intellectual property right to it! Date of the document creation or modification, as we don’t have an automated version control Customer Data or Company Data label to distinguish Mysale information from that of our customers

5 How security footers look like?
Sensitivity: Public Date: Class: Company Data Owner: Marketing Director Sensitivity: Internal Date: Class: Company Data Owner: Sales Manager Sensitivity: Confidential Date: Class: Customer Data Owner: Financial Director Please use the headed paper provided for your convenience at <address>

6 Key Docs on Classification
Data Classification Matrix Details on how do we assign it and what it means Data Classification Standard Description of classification levels Data Classification Policy Overall rules on data security

7 May be distributed without damage to the company or individuals
Public Information May be distributed without damage to the company or individuals Examples: ads, external vacancy posts, website content Distribution: must be approved prior to public release with correctness checked prior to the release Exceptions: public posts that constitute a part of a job (e.g. blogging for advertisement purpose) Reproduction: unlimited Disposal: operating system delete, paper bins Security risks: loss, distortion, plagiarism by competitors

8 Internal Information All unlabeled documents are Internal by default and must be treated as such Examples: policies, procedures, work instructions, meeting invitations, calendars, time sheets, blank company headed paper Distribution: May be distributed within the company only. Exceptions: Can be delivered to third parties with whom an NDA has been signed as a part of a contract or a standalone document. These may include consultants, vendors, auditors etc. Reproduction: Limited copies to Mysale employees Disposal: delete and empty the Recycle Bin, shred paper Security risks: loss, leak to unauthorised third parties

9 Confidential Information
Unless agreed otherwise and approved by your manager, all Customer Data is Confidential by default! Examples: banking details, credit card data, login credentials and keys, personal data of employees Distribution: only to employees who work with such data, typically limited to a specific department or team Exceptions: senior management. External release only when required by a court order or to law enforcement agencies Reproduction: on the need to know basis Disposal: secure deletion where possible, shred paper Security risks: loss, leak to outsiders, inside leaks to employees who must not have access to such information Please keep in mind that all incidents involving Confidential data will be treated as Serious and escalated to C-level

10 Highly Confidential Information
Examples: board meeting notes, strategic business programs or plans Distribution: senior management/company directors only. No storage on shared resources to which other employees have access Exceptions: none. External release only when required by a court order or to law enforcement agencies Reproduction: on the need to know basis amongst senior managers Disposal: secure deletion, shred paper documents Security risks: loss, leak to outsiders, inside leaks to employees who must not have access to such information Please keep in mind that all incidents involving Highly Confidential data are Serious and will lead to disciplinary/legal actions

11 Handling Highly/Confidential Information
Do not copy to your own devices Do not take off Mysale premises Do not copy to shared drives not already containing it and approved to do so Do not send it to mail lists which may include recipients not authorised to view it Do not leave paper copies lying around unattended. Lock them up or shred if obsolete. Hard drives of mobile computers holding it must be encrypted by IT Support Any cloud resources holding it must be IT-approved and have two factor authentication turned on Use secure deletion tools recommended by IT to erase it

12 How to label a new document
In a new document, select and download the required template from Document Portal Insert you role and the date of document creation into the corresponding footer fields Save

13 How to label an existing document
Copy and paste the required footer from a corresponding classification level template at Document Portal Insert you role and the date of document creation into the corresponding footer fields Save

14 How to label a presentation
Create a new sheet called “Document Control” Insert “Sensitivity”, “Class”, “Date”, and “Role” fields into this sheet Fill these in in exactly the same manner as you would do with a document classification footer and save

15 Finally… You do not have to go through all company docs you have and label everything right now, but Label the existing documents as you amend them Label new documents as you create them Always label all Highly Confidential and Confidential information first If in doubt about data sensitivity: Check the Data Classification Matrix at Document Portal Ask your manager about it

Download ppt "Mysale Information Classification 101"

Similar presentations

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
FERPA: Family Educational Rights and Privacy Act.

FERPA: Family Educational Rights and Privacy Act.
FERPA Skidmore College Family Education Rights & Privacy Act What is FERPA? It is the Family Educational Rights and Privacy Act of 1974. Is also referred.

FERPA Skidmore College Family Education Rights & Privacy Act What is FERPA? It is the Family Educational Rights and Privacy Act of Is also referred.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
QMS Documentation Click the mouse to advance slides and animations in this slide show…

QMS Documentation Click the mouse to advance slides and animations in this slide show…
Security Policies Group 1 - Week 8 policy for use of technology.

Security Policies Group 1 - Week 8 policy for use of technology.
Purchasing Card Record Keeping & Retention REVISED 07-20151.

Purchasing Card Record Keeping & Retention REVISED
Practical Information Management

Practical Information Management
Personal Property Training Webinar Untimely Notifications PPMB Found Certification Fair Market Value Loan Agreement Creating Vehicle Agreement Asset User.

Personal Property Training Webinar Untimely Notifications PPMB Found Certification Fair Market Value Loan Agreement Creating Vehicle Agreement Asset User.
Security and Privacy Strategic Global Partners, LLC.

Security and Privacy Strategic Global Partners, LLC.
Privacy and Information Management ICT Guidelines.

Privacy and Information Management ICT Guidelines.
Ecords Management Records Management Paul Smallcombe Records & Information Compliance Manager.

Ecords Management Records Management Paul Smallcombe Records & Information Compliance Manager.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.

ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.

STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.
Secure Email. Email is a means of exchanging digital messages from an author to one or more recipients – it is instant with no delay or postal costs.

Secure . is a means of exchanging digital messages from an author to one or more recipients – it is instant with no delay or postal costs.
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.

TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.

Similar presentations

Ads by Google