+32468072112
info@nexly.eu
0
0
0
Login Register
Categories
Courses Instructors Store Forums Events
Start Learning
Page cover
Nexly Information Classification & Handling Policy

Information Classification & Handling Policy

Proper handling of Nexly’s sensitive data

Nexly Corporation - Information Classification & Handling Policy

1. Introduction & Purpose

This Information Classification & Handling Policy (the "Policy") establishes the framework for classifying, protecting, and managing all information assets owned or controlled by Nexly Corporation ("Nexly" or the "Company"). Located at 701 South Street Suite 100, Mountain Home, AR 72653, Nexly recognizes that information is a critical asset. The protection of information is vital for maintaining business operations, protecting the privacy of individuals, complying with legal and regulatory requirements, and safeguarding our reputation. This Policy is designed to:

  • Classify Information: Categorize information based on its sensitivity and criticality to business operations.
  • Establish Handling Requirements: Define the appropriate handling requirements for information based on its classification level.
  • Protect Confidentiality, Integrity, and Availability (CIA): Ensure the confidentiality, integrity, and availability of information assets.
  • Comply with Legal and Regulatory Requirements: Comply with all applicable laws, regulations, and industry standards related to data privacy and security.
  • Reduce Risk: Minimize the risk of data breaches, data loss, and unauthorized access to Company information.
  • Promote Security Awareness: Educate employees on their responsibilities for protecting Company information.
  • Define Responsibilities: Establish clear roles and responsibilities for information classification and handling.

This Policy applies to all Nexly employees, contractors, vendors, and other individuals and entities that create, access, store, transmit, or otherwise handle Company information (collectively, "Users"). This Policy is to be read in conjunction with other Company policies, including, but not limited to, the Information Security Policy, the Data Privacy Policy, the Acceptable Use Policy, the Confidentiality and Non-Disclosure Policy, and the Mobile Device & BYOD Policy.

2. Information Classification Levels

Nexly Corporation will classify information into the following levels, based on its sensitivity and criticality:

  • 2.1. Public: Information that is intended for public consumption and can be freely disclosed without any restrictions.
    • Examples: Company website content, marketing brochures, press releases, and public presentations.
    • Handling Requirements: No special handling requirements.
  • 2.2. Internal Use Only: Information that is intended for internal use within Nexly Corporation.
    • Examples: Internal memos, internal reports, and internal communications.
    • Handling Requirements: Must be protected from unauthorized disclosure outside of Nexly. Access should be restricted to authorized internal users only.
  • 2.3. Confidential: Information that, if disclosed without authorization, could cause moderate harm to Nexly or its stakeholders.
    • Examples: Non-public financial information, customer data, employee data (excluding PII), internal strategies, and proprietary business information.
    • Handling Requirements: Must be protected from unauthorized disclosure. Access should be restricted to authorized individuals on a need-to-know basis. Must be encrypted when stored or transmitted outside of a secure network.
  • 2.4. Highly Confidential: Information that, if disclosed without authorization, could cause significant harm to Nexly or its stakeholders, including legal or regulatory penalties, or reputational damage.
    • Examples: Protected Health Information (PHI), Personally Identifiable Information (PII) as defined by applicable law (e.g., social security numbers, credit card numbers), trade secrets, and other sensitive business information.
    • Handling Requirements: Must be protected with the highest level of security. Access should be strictly limited to authorized individuals on a need-to-know basis. Data must be encrypted both at rest and in transit. All handling activities must be logged and monitored. Special handling procedures will be required.

The classification level of information must be determined by the data owner, in consultation with the Information Security Department and Legal Counsel. If the classification is unclear, err on the side of caution and classify the information at the higher, more protective level.

3. Data Handling Procedures

The following procedures must be followed when handling information, depending on its classification level:

  • 3.1. Public Information: No specific handling requirements.
  • 3.2. Internal Use Only Information:
    • Access Control: Limit access to authorized internal users only.
    • Transmission: Transmit internally via secure means, such as email or Company-approved collaboration tools.
    • Storage: Store on Company-approved systems.
    • Destruction: Dispose of in accordance with the Company's data retention and disposal policies.
  • 3.3. Confidential Information:
    • Access Control: Limit access to authorized individuals on a need-to-know basis.
    • Data Encryption: Encrypt data when stored or transmitted outside of a secure network.
    • Transmission: Use secure email or file-sharing services.
    • Physical Security: Protect physical documents from unauthorized access.
    • Storage: Store on Company-approved systems.
    • Disposal: Dispose of data in accordance with the Company's data retention and disposal policies.
  • 3.4. Highly Confidential Information:
    • Access Control: Strictly limit access to authorized individuals on a need-to-know basis. Implement MFA.
    • Encryption: Encrypt data at rest and in transit, using strong encryption methods.
    • Secure Storage: Store on Company-approved systems.
    • Transmission: Use secure methods for transmission (e.g., secure email with encryption, secure file transfer protocols).
    • Logging & Monitoring: Log and monitor all access to the data.
    • Physical Security: Protect physical documents.
    • Auditing: Ensure that all handling activities are audited.
    • Data Masking: Use data masking.
    • Data Loss Prevention: Employ data loss prevention (DLP) tools.
    • Training: Users who handle Highly Confidential Information must receive specialized training.
    • Disposal: Dispose of data in accordance with the Company's data retention and disposal policies.
  • 3.5. Mobile Devices: Follow the Mobile Device & BYOD Policy [Link to Mobile Device & BYOD Policy] when accessing Company data on mobile devices.
  • 3.6. Remote Work: Follow the Remote Work Security Policy [Link to Remote Work Policy] when working remotely.
  • 3.7. Third-Party Vendors: Ensure that third-party vendors who handle Company data have appropriate security controls in place, as defined in the Third-Party Vendor Risk Management Policy. [Link to Vendor Policy].

4. Data Retention & Disposal

Nexly Corporation will retain and dispose of information in accordance with the Company's Data Retention Policy [Link to Data Retention Policy].

  • Retention Periods: Data will be retained only for as long as is necessary to meet legal, regulatory, and business requirements.
  • Disposal Methods: Data will be disposed of securely, using approved methods, in accordance with the Company's data retention and disposal policies.
  • Compliance: Compliance with all applicable laws and regulations.

5. Roles & Responsibilities

Ensuring the proper classification and handling of information is a shared responsibility. The following outlines the key roles and their responsibilities:

  • 5.1. Board of Directors:
    • Oversees the Company's data protection and information security program.
    • Approves this Policy and reviews its effectiveness.
  • 5.2. Chief Information Officer (CIO):
    • Responsible for the overall implementation and enforcement of this Policy.
    • Oversees the Information Security Department.
  • 5.3. Information Security Department:
    • Develops, implements, and maintains this Policy.
    • Provides guidance on information classification and handling procedures.
    • Conducts security assessments and audits.
    • Provides training and awareness programs on data security.
    • Investigates and responds to data security incidents.
  • 5.4. Data Owners: (The person or department that generates and has ultimate responsibility for information).
    • Data Classification: Determine the appropriate classification level for the information they create or control.
    • Data Protection: Ensure that information is handled in accordance with its classification level.
    • Review: Review the classification of information periodically and update it as needed.
    • Data Inventory: Maintain an inventory of data under their control.
  • 5.5. Department Heads & Managers:
    • Ensure that employees within their departments comply with this Policy.
    • Provide training and guidance on information classification and handling procedures.
    • Monitor data handling practices within their departments.
  • 5.6. All Employees:
    • Understand and comply with this Policy.
    • Classify information appropriately, based on its sensitivity.
    • Handle information in accordance with its classification level.
    • Report any suspected data security incidents to the Information Security Department immediately.

6. Security Incidents and Breach Reporting

Nexly Corporation will promptly address any data security incidents.

  • 6.1. Reporting: All employees must report any suspected data security incidents, including data breaches, loss of data, or unauthorized access to information, to the Information Security Department immediately.
  • 6.2. Incident Response: The Information Security Department will investigate all reported incidents and take appropriate action.
  • 6.3. Notification: Nexly will notify individuals and regulatory authorities, as required by law, of any data breaches.
  • 6.4. Data Privacy: Follow all procedures in the Data Privacy Policy [Link to Data Privacy Policy].

7. Policy Review & Amendments

This Information Classification & Handling Policy will be reviewed and updated regularly to ensure its continued effectiveness.

  • Review Frequency: This Policy will be reviewed at least [Specify Frequency, e.g., annually] or more frequently as needed, such as in response to changes in the Company's business, the threat landscape, or regulatory requirements.
  • Review Process: The review process will involve:
    • Stakeholder Input: Seeking input from relevant stakeholders.
    • Risk Assessment: Assessing the effectiveness of the Policy and identifying any gaps.
    • Legal Review: Ensuring that the Policy complies with all applicable laws.
  • Policy Amendments and Communication: Any amendments to this Policy will be approved by [Specify Approving Authority, e.g., the Board of Directors or the Executive Leadership Team] and communicated to all users through [Specify Communication Channels, e.g., company-wide email, intranet posting, training sessions].
  • Policy Ownership: The Information Security Department is responsible for maintaining and updating this Policy.

**Acknowledgement:** By accessing Company information, all employees, contractors, and other authorized individuals are deemed to acknowledge that they have read, understood, and agree to abide by the terms and conditions outlined in this Information Classification & Handling Policy.

- Nexly
+32468072112
info@nexly.eu
0
0
0
Login Register
Categories
Courses Instructors Store Forums Events
Start Learning
Cart
Subtotal
View Cart
Cookie Privacy Policies
Our website uses cookies, mainly from 3rd party services. Define your preferences or agree to our use of cookies.
Favorites 0
View Wishlist
Compare 0
Detailed Check