Data Classification Policy
This policy provides guidelines for the classification of Bold Business (“Bold Business”) information systems data and physical hard copies of data. This policy will define appropriate control requirements for information classified as “confidential” in accordance with this policy.
2. Scope and Definitions
a. The requirements of this policy apply to all of Bold Business functional areas and all of Bold Business’ wholly owned and majority-owned subsidiary companies.
b. This policy also applies to agents of Bold Business, its subsidiaries, and to all information created by, on behalf of, or in use by Bold Business.
c. This policy is applicable to all electronic & physical business information managed within any company information system, as defined in this policy.
d. This policy is designed to be used in conjunction with other Information Technology, as well as other company policies. Where this policy conflicts with another policy, the more stringent of the two policies should be followed.
a. Personally Identifiable Information (PII): any information about an individual that, (a) can be used to distinguish or trace an individual’s identity, (b) is linked or linkable to an individual, or (c) is protected by federal, state or local laws and regulation or industry standards.
Bold Business has identified the following attributes as PII within the organization:
- Authentication Information
- Date of Birth
- Email address
b. Confidential Data: any information that is contractually protected as confidential by federal, state or local laws and regulations or by contract and any other information that is considered by Bold Business appropriate for confidential treatment. Including but are not limited to:
- PII – Personal information as defined above
- Personal non-public and financial data.
- Contracts subject to confidentiality requirements.
- Company law enforcement or court records and confidential investigation records.
- Unpublished company financial information, strategic plans and real estate or facility development plans.
- Information on facilities security systems.
- Nonpublic intellectual property, including invention disclosures and patent applications.
c. Internal Data: any information that is proprietary or produced only for use by associates of Bold Business who have a legitimate purpose to access such data. Including but not limited to:
- Internal operating procedures and operational manuals.
- Internal memoranda, emails, reports and other documents.
- Technical documents such as system configurations and floor plans.
d. Public Data: any information that may or must be made available to the general public, with no legal restrictions on its access or use. Including but not limited to:
- Company financial statements and other reports filed with federal or state governments and generally available to the public.
- Copyrighted materials that are publicly available.
- Publically available information made lawfully available to the general public from federal, state or local government records.
e. Information Systems: Information systems provided to any company associate and any data and/or information composed, received and/or sent by an associate on or through any such systems, including remote access, including but not limited to:
- Computer (PCs, Laptops, Tablets, etc.)
- Network, Telephone, Email, Instant messaging, Voice mail, Facsimile, Websites
- Flash drive, CD/DVD, Video
- Personal digital assistant systems/handheld device
f. Data Owner: For the purpose of this policy, a data owner is a company associate who is responsible for managing specific electronic or hard copies of business information as designated by Bold Business. Owners should be at Manager Level or above and are responsible for assigning appropriate information sensitivity classifications as defined in this policy. Owners do not legally own Bold Business information entrusted to their care. They are instead designated members of Bold Business leadership team who act as stewards, and who supervise the ways in which certain types of information are used and protected.
g. Users: The person that is the actual authorized user of data in any format – electronic or physical. All company associates, contractors, agents are considered users for the purpose of this policy.
- All company associates are responsible for being aware of and complying with this policy.
- All company associates in a leadership position are responsible for ensuring their department’s associates are familiar with and comply with applicable policy requirements.
- The Senior Vice President, Chief Information Officer is ultimately responsible for adherence to this policy.
- Authority for this policy rests with the Executive Vice President and Chief Financial Officer.
4. Policy – General
This policy applies to all electronic information in company information systems. The classification system defined in this policy is based on the concept of “need to know”. In other words, information is not accessible or disclosed to any person who does not have a legitimate and demonstrable business need to receive the information. This concept, when combined with the requirements defined in this policy, will protect company information from unauthorized disclosure, use, modification, and deletion.
Policy – Data Classification
a. User Responsibilities: All Users who come into contact with Confidential Data and Internal Data are expected to familiarize themselves with this data classification policy and to consistently use these standards. Although this policy provides overall guidance to achieve consistent information protection, Users are expected to apply and extend these concepts to fit the needs of their day-to-day operations.
b. Data Owner Responsibilities: Data owners are required to manage the information within their area of responsibility, as well as manage the access and control processes as defined in this policy.
Policy – Access Controls and Usage
a. System Access: The proper controls shall be in place to authenticate the identity of users and to validate each user’s authorization before allowing the user to access information or services on the system. Data used for authentication shall be protected from unauthorized access. Controls shall be in place to ensure that only personnel with the proper authorization and a need to know are granted access to Bold Business’ systems and their resources. Remote access shall be controlled through identification and authentication mechanisms.
b. Access Authorization Reviews: Access to confidential information must be provided only after the written authorization of the Data Owner has been obtained. Access requests will be presented to the data owner. Special needs for access privileges will be dealt with on a request-by-request basis. The list of individuals with access to confidential information will be reviewed at least annually for accuracy by the relevant Data Owner in accordance with a system review schedule approved by the Information Security Team.
c. Special Considerations for Confidential Information:
1. If confidential information is going to be stored on a personal computer, portable computer, personal USB devices, or any other single-user system, the system must conform with the following company policy: “Information Security and Acceptable Use of Information Systems”.
2. When these users are not currently accessing or otherwise actively using the confidential information on such a machine, they must not leave the machine without logging off, invoking a password protected screen saver, or otherwise restricting access to the information.
3. Data Encryption Software: Company associates and vendors must not install encryption software to encrypt files or folders without the written consent of Information Security.
4. Storage Media: Storage media containing confidential information shall be completely empty before reassigning that medium to a different user or disposing of it when no longer used. Simply deleting the data from the media is not sufficient. When disposing of media containing data that cannot be completely erased it must be destroyed in a manner approved by Information Security. Please contact Information Security for assistance in this.
5. Paper Copy Access: In accordance with our “Clear Desk Policy”, all hard copies of confidential data must be stored only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis.
6. Transmission over networks: If confidential data is to be transmitted over any external communication network, it must be sent only in encrypted form. Such networks include electronic mail systems, the Internet, etc. All such transmissions must use a (VPN) virtual private network or similar software as approved by the Information Security Team.
7. Transfer to another computer: Before any confidential information may be transferred from one computer to another, the person making the transfer must ensure that access controls on the destination computer are commensurate with access controls on the originating computer. If comparable security cannot be provided with the destination system’s access controls, then the information must not be transferred.
8. Storage on personal or portable storage: Storage of company information on personal or portable storage is discouraged, since it can easily fall into the wrong hands. If such storage is needed temporarily for remote work, etc. it is to be used with reasonable caution and removed immediately after use. Please refer to company policy “OP#6002 – Information Security and Acceptable Use of Information Systems” for more information.
d. Physical IT Security:
1. Data Center Access: Access to company data centers must be physically restricted in a reasonable and appropriate manner.
2. IT Equipment Access: All network equipment (routers, switches, etc.) and servers located in the support center offices and in all facilities must be secured when no company associates or authorized contractors are present. Physical security denies access to unauthorized personnel.
Any associate who discovers a violation of this policy should notify the local information systems contact. Any suspected policy violation which may have jeopardized company information or systems should also be immediately reported to IT. Violations of this policy may include disciplinary action up to and including termination.