Connor Group Information Security

 

Data Classification

 

 

Jan 2024

 

v.1.2


Introduction

Any organization contains data which differs in its level of sensitivity, i.e., some data are more sensitive than others. Data Classification helps categorize data in a way that conveys the sensitivity of information. Data that must be safeguarded for confidentiality, integrity, and availability can be classified as sensitive and require greater controls versus data that can be freely shared.

 

Data Classification primarily concerned with data management to ensure sensitive information is handled appropriately in regard to the risk exposure or loss poses to the company. It is used to manage appropriate access to authorized personnel for sensitive data while not needlessly encumbering the company with overhead of protecting non-sensitive data. 

Data classification, security policy, and risk analysis are related functions that organizations use in conjunction to enhance security:

Purpose

The purpose of this Standard is to ensure:  

  • The company recognizes what types of data is considered sensitive and non-sensitive.  
  • Appropriate protections are in place to protect sensitive data from unauthorized access.
  • Data repositories protect data based on the highest sensitivity of data stored there.

 

Scope

This Standard applies to IT systems or repositories managed or accessed by Connor Group, including both physical and virtual desktops, laptops, servers, handhelds, and third-party systems utilized by CG employees for business purposes. 

 

All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein. 

 

In the event of uncertainty regarding the applicability of this Standard, contact Information Security for clarification and/or guidance at [email protected].  

 

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000097565)

 

Standard

Adherence to requirements in this standard is mandatory.

 


 

 

1. Data Classification

 

Ref

Requirement

1.1 

Data at Connor Group is classified into 4 general categories: 

 

General – Files or email with no business expectation of privacy or protection. 

Examples: Publicly available addresses or contact information, public stock prices, innocuous email or work correspondence.

Loss or disclosure has no impact to the company, clients, or partners.

Sensitive – Files or email with sensitivity requiring limited access to the company and partners.

Examples: Business communications, shared client data, PII

Loss or disclosure has low impact to the company and no cascading exposure to risk past the data itself.

CG Only – Files or email with sensitivity required limited access to company employees and ICs.

Examples: Internal IP data, Server names, CG PII

Loss or disclosure has significant impact to the company.

Confidential – Highly sensitive data with limited access to a defined subset of company employees or ICs.  

Examples: Merger and acquisition data, HR performance data, service account passwords

Loss or disclosure has grievous impact to the company.

1.2 

Confidential information is never to be removed from Production environments unless done so by the data owner or with the documented express consent of the data owner.

1.3 

Access to Confidential information is by approved methods only and with consent of the data owner.

1.4 

Sensitive, CG Only, and Confidential data must always be stored and disposed of securely, in accordance with established procedures and other relevant company policies, to ensure that it is not inadvertently made available to an unauthorized party. 

 

1.5 

Sensitive, CG Only, and Confidential data must always be transmitted securely when being shared with an authorized party.

1.6

Regarding the transmission of data classified as Sensitive or above, data shared outside production systems must only be sent to parties authorized to view the data.

 

2. Roles 

All staff have a key role to play in the proper protection of data. This begins by understanding the Data Classification rules and the day-to-day implementation of those rules. The specific roles that are required to ensure data is adequately classified and protected are:  

  1. DATA OWNER – The Internal Data Owner the person named to be responsible for ensuring that data classification requirements are adhered to. The Data Owner is responsible for ensuring that data elements are properly classified according to the Data Classification policy.  
  2. DATA CUSTODIAN – The data custodian is responsible for implementing the appropriate control environment around the use of data elements by their unit (any data element may have multiple custodians, each responsible for their area’s use of the data). Any gap in a process that could result in data being compromised must be escalated immediately by the Data Custodian to the Data Owner  
  3. END USER – Connor Group clients are ultimately responsible for data security and are responsible for communicating sensitivity requirements which data custodians and data owners are instructed to follow.  

 

 

Compliance

Information Security team shall verify compliance to this policy through various methods, including but not limited to, walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner. 

 

Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to systems entering live operations or remaining online after the remediation plan grace period has expired.

 

The following are required to adhere to this Standard, except where a formal exception has been granted as above: 

  • All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse. 
  • Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group. 

 

Revision History

Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.

 

Version 

Detail 

Author 

Date 

1.0

Initial document

Connor Group Information Security

May 2021

1.1

Formatting revised with requirements under Standards enumerated for easier reference.

 

Connor Group Information Security

Oct 2022

1.2

Annual Policy Review

Connor Group Information Security

Jan 2024