+32468072112
info@nexly.eu
0
0
0
Login Register
Categories
Courses Instructors Store Forums Events
Start Learning
Page cover
Nexly Data Classification & Handling Policy

Data Classification & Handling Policy

Managing sensitive, internal, and public data

Nexly Corporation - Data Classification & Handling Policy

1. Introduction & Purpose

This Data Classification & Handling Policy (the "Policy") establishes the procedures and guidelines for classifying, protecting, and managing all data owned or controlled by Nexly Corporation ("Nexly" or the "Company"). Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly recognizes that data is a valuable asset that must be protected to ensure business continuity, maintain customer trust, and comply with legal and regulatory requirements. This Policy is designed to:

  • Classify Data: Provide a consistent framework for classifying data based on its sensitivity and criticality to business operations.
  • Establish Handling Requirements: Define the appropriate handling requirements for data based on its classification level.
  • Protect Data Confidentiality, Integrity, and Availability (CIA): Ensure the confidentiality, integrity, and availability of data.
  • Comply with Legal and Regulatory Requirements: Ensure compliance with all applicable laws, regulations, and industry standards related to data protection.
  • Minimize Risk: Reduce the risk of data breaches, data loss, and unauthorized access to Company data.
  • Promote Security Awareness: Educate employees on their responsibilities.
  • Define Responsibilities: Establish clear roles and responsibilities for data classification and handling.

This Policy applies to all Nexly employees, contractors, vendors, and other individuals and entities that create, access, store, transmit, or otherwise handle Company data (collectively, "Users"). This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Information Security Policy, the Data Privacy Policy, the Acceptable Use Policy, the Confidentiality and Non-Disclosure Policy, the Mobile Device & BYOD Policy, and the Incident Response & Breach Notification Policy.

2. Data Classification Levels

Nexly Corporation will classify data into the following levels, based on its sensitivity and criticality to business operations:

  • 2.1. Public: Information that is intended for public consumption and can be freely disclosed without any restrictions.
    • Examples: Company website content (excluding secure areas), press releases, public presentations, and job postings.
    • Handling Requirements: No special handling requirements. May be shared freely.
  • 2.2. Internal Use Only: Information that is intended for internal use within Nexly Corporation and is not intended for public distribution. Disclosure outside of Nexly could cause minor disruption.
    • Examples: Internal memos, internal reports, meeting minutes, training materials, internal communications, and non-sensitive employee information.
    • Handling Requirements: Must be protected from unauthorized disclosure outside of Nexly. Access should be restricted to authorized internal users only. Avoid public-facing websites and social media.
  • 2.3. Confidential: Information that, if disclosed without authorization, could cause moderate harm to Nexly or its stakeholders. Disclosure could violate business contracts.
    • Examples: Non-public financial information, customer data (excluding PII), employee performance data, internal strategies, and proprietary business information.
    • Handling Requirements: Must be protected from unauthorized disclosure. Access should be restricted to authorized individuals on a need-to-know basis. Data must be encrypted when stored or transmitted outside of a secure network. Use caution with external emails.
  • 2.4. Highly Confidential: Information that, if disclosed without authorization, could cause significant harm to Nexly or its stakeholders, including legal or regulatory penalties, significant financial loss, reputational damage, or the compromise of critical business operations.
    • Examples: Protected Health Information (PHI), Personally Identifiable Information (PII), trade secrets, financial data, source code, legal documents, and other highly sensitive business information.
    • Handling Requirements: Must be protected with the highest level of security. Access should be strictly limited to authorized individuals on a need-to-know basis. Data must be encrypted both at rest and in transit. All handling activities must be logged and monitored. Special handling procedures, including stringent access controls and audit trails, will be required. Limited use of removable media. Must follow the Data Privacy Policy [Link to Data Privacy Policy].

The classification level of information must be determined by the Data Owner, in consultation with the Information Security Department and Legal Counsel. If the classification is unclear, err on the side of caution and classify the information at the higher, more protective level. A listing of the Data Owners can be found on the Nexly Corporation Intranet. [Link to Intranet Page].

3. Data Handling Procedures

The following procedures must be followed when handling data, depending on its classification level:

  • 3.1. Public Information:
    • Handling: No specific handling requirements. Share publicly, where appropriate.
    • Accuracy: Ensure accuracy and consistency.
  • 3.2. Internal Use Only Information:
    • Access Control: Limit access to authorized internal users.
    • Transmission: Transmit internally via secure means, such as email or Company-approved collaboration tools.
    • Storage: Store on Company-approved systems, such as network drives, file servers, and cloud storage platforms.
    • Printing: Print only on Company-approved printers and secure print locations.
    • Disposal: Dispose of in accordance with the Company's Data Retention Policy [Link to Data Retention Policy] and through approved methods, such as secure shredding or secure deletion.
  • 3.3. Confidential Information:
    • Access Control: Limit access to authorized individuals on a need-to-know basis.
    • Data Encryption: Encrypt data when stored or transmitted outside of a secure network. [Specify Encryption Requirements, e.g., using AES-256 encryption for storage and TLS 1.2 or higher for transmission.]
    • Transmission: Use secure email and file-sharing services.
    • Physical Security: Protect physical documents from unauthorized access. Secure physical storage is required.
    • Storage: Store on Company-approved systems.
    • Disposal: Dispose of data in accordance with the Company's Data Retention Policy and through approved methods, such as secure shredding or secure deletion.
    • Handling on Portable Devices: Follow the Mobile Device & BYOD Policy.
  • 3.4. Highly Confidential Information:
    • Access Control: Strictly limit access to authorized individuals on a need-to-know basis. Implement multi-factor authentication (MFA).
    • Encryption: Encrypt data at rest and in transit. Implement strong encryption.
    • Secure Storage: Store on Company-approved systems only.
    • Transmission: Use secure methods for transmission.
    • Logging & Monitoring: Log and monitor all access to the data. Implement regular audits.
    • Physical Security: Protect physical documents. Store in locked locations with restricted access.
    • Auditing: Ensure that all handling activities are audited.
    • Data Loss Prevention (DLP): Utilize data loss prevention (DLP) tools.
    • Training: Users who handle Highly Confidential Information must receive specialized training.
    • Secure Disposal: Ensure secure disposal.
    • Restrict Removable Media: Do not use removable media without explicit approval.
  • 3.5. Working Remotely: Follow the Remote Work Security Policy [Link to Remote Work Policy] and only work remotely using secure and authorized means.

4. Data Storage and Transmission

Nexly Corporation will implement secure data storage and transmission practices.

  • 4.1. Approved Storage Locations: Data must be stored on Company-approved systems and storage locations, including:
    • Network File Shares: Secure network file shares.
    • Cloud Storage: Company-approved cloud storage services (e.g., [Specify Approved Cloud Storage, e.g., Microsoft OneDrive, SharePoint]).
    • Databases: Company databases.
    • Employee Laptops and Workstations: Company-issued laptops and workstations, with appropriate security controls.
    Unauthorized use of personal devices or external storage is prohibited.
  • 4.2. Data Transmission:
    • Secure Communication: Use secure communication channels, such as encrypted email, secure file transfer protocols (SFTP), and VPNs.
    • Avoid Unsecured Transmission: Avoid transmitting sensitive data via unencrypted email or other unsecured methods.
  • 4.3. Data Backups: Regularly back up data to ensure its availability in the event of a data loss or disaster. Follow the Company's data backup procedures.

5. Data Retention and Disposal

Nexly Corporation will retain and dispose of data in accordance with the Company's Data Retention Policy [Link to Data Retention Policy].

  • Retention Periods: Data will be retained only for as long as is necessary to meet legal, regulatory, and business requirements.
  • Disposal Methods: Data will be disposed of securely. Follow the established Data Retention Policy and approved methods, such as:
    • Secure Deletion: Securely deleting electronic data from storage media (e.g., hard drives, solid-state drives, cloud storage).
    • Shredding: Shredding physical documents and other physical media.
  • Compliance: Compliance with all applicable laws and regulations.

6. Roles and Responsibilities

Ensuring proper data classification and handling is a shared responsibility.

  • 6.1. Board of Directors:
    • Oversees the Company's data protection and information security program.
    • Approves this Policy and reviews its effectiveness.
  • 6.2. Chief Information Officer (CIO):
    • Responsible for the overall implementation and enforcement of this Policy.
    • Oversees the Information Security Department.
    • Ensures that appropriate resources are allocated.
  • 6.3. Information Security Department:
    • Develops, implements, and maintains this Policy.
    • Provides guidance on information classification and handling procedures.
    • Develops and maintains data security best practices.
    • Conducts security assessments and audits.
    • Provides training on data security.
  • 6.4. Data Owners: (The person or department that creates, or has primary responsibility for, a specific type of data).
    • Data Classification: Determine the appropriate classification level for the data they create or control.
    • Data Protection: Ensure that data is handled in accordance with its classification level.
    • Data Management: Responsible for all aspects of management.
    • Review: Review the classification of data periodically and update it as needed.
  • 6.5. Department Heads & Managers:
    • Ensure that employees within their departments comply with this Policy.
    • Provide training and guidance on information classification and handling procedures.
    • Monitor data handling practices.
  • 6.6. All Employees:
    • Comply with this Policy.
    • Classify information appropriately, based on its sensitivity.
    • Handle information in accordance with its classification level.
    • Report any suspected data security incidents to the Information Security Department immediately.

7. Policy Review & Amendments

This Data Classification & Handling Policy will be reviewed and updated regularly to ensure its continued effectiveness.

  • Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently.
  • Review Process: The review process will involve:
    • Stakeholder Input: Seeking input from relevant stakeholders.
    • Risk Assessment: Assessing the effectiveness of the Policy and identifying any gaps.
    • Legal and Regulatory Review: Ensuring compliance with all applicable laws.
    • Industry Practices: Incorporating industry practices.
  • Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all Users through [Specify Communication Channels, e.g., company-wide email, intranet posting, training sessions].
  • Policy Ownership: The Information Security Department, with support from the Legal Department, is responsible for maintaining and updating this Policy.

**Acknowledgement:** By accessing Company data, all employees, contractors, and other authorized individuals are deemed to acknowledge that they have read, understood, and agree to abide by the terms and conditions outlined in this Data Classification & Handling Policy.

- Nexly
+32468072112
info@nexly.eu
0
0
0
Login Register
Categories
Courses Instructors Store Forums Events
Start Learning
Cart
Subtotal
View Cart
Cookie Privacy Policies
Our website uses cookies, mainly from 3rd party services. Define your preferences or agree to our use of cookies.
Favorites 0
View Wishlist
Compare 0
Detailed Check