An organization’s records are one of its most important and valuable assets. Almost every employee is responsible for creating or maintaining organization records of some kind, whether in the form of paper, computer data, optical disk, electronic mail, or voice-mail. Letters, memoranda, and contracts are obviously information records, as are things such as a desk calendar, an appointment book, or an expense record.
TABLE 5.8 Information Classification Policy: Example 3 INFORMATION CLASSIFICATION
Introduction
Information, wherever it is handled or stored (for example, in computers, file cabinets, desktops, fax machines, voice-mail), needs to be protected from unauthorized access, modification, disclosure, and destruction. All informa- tion is not created equal. Consequently, segmentation or classification of information into categories is necessary to help identify a framework for evaluating the information’s relative value and the appropriate controls re- quired to preserve its value to the company.
Three basic classifications of information have been established. Organiza- tions may define additional subclassifications as necessary to complete their framework for evaluating and preserving information under their control.
When information does require protection, the protection must be consis- tent. Often, strict access controls are applied to data stored in the mainframe computers but not applied to office workstations. Whether in a mainframe, client/server, workstation, file cabinet, desk drawer, waste basket, or in the mail, information should be subject to appropriate and consistent protection. The definitions and responsibilities described below represent the mini- mum level of detail necessary for all organizations across the company. Each organization may decide that additional detail is necessary to adequately implement information classification within their organization.
Corporate Policy: All information must be classified by the owner
into one of three classifications: Confidential, Internal Use or Public. (From Company Policy on Information Management)
Confidential
Definition: Information that, if disclosed, could:
Violate the privacy of individuals,
Reduce the company’s competitive advantage, or
Cause damage to the company.
Examples: Some examples of Confidential information are:
Personnel records (including name, address, phone, salary, performance
rating, social security number, date of birth, marital status, career path, number of dependents, etc.),
Customer information (including name, address, phone number, energy
consumption, credit history, social security number, etc.),
Shareholder information (including name, address, phone number,
number of shares held, social security number, etc.),
Vendor information (name, address, product pricing specific to the com-
pany, etc.),
Organizations are required by law to maintain certain types of records, usually for a specified period of time. The failure to retain such documents for these minimum time periods can subject an organization to penalties, fines, or other sanctions, or could put it at a serious disadvantage in
Health insurance records (including medical, prescription, and psycho-
logical records),
Specific operating plans, marketing plans, or strategies,
Consolidated revenue, cost, profit, or other financial results that are not public record,
Descriptions of unique parts or materials, technology intent statements,
or new technologies and research that are not public record,
Specific business strategies and directions,
Major changes in the company’s management structure, and
Information that requires special skill or training to interpret and employ correctly, such as design or specification files.
If any of these items can be found freely and openly in public records, the company’s obligation to protect from disclosure is waived.
Internal Use
Definition: Classify information as Internal Use when the information is in- tended for use by employees when conducting company business.
Examples: Some examples of Internal Use information are:
Operational business information/reports,
Noncompany information that is subject to a nondisclosure agreement
with another company,
Company phone book,
Corporate policies, standards, and procedures, and
Internal company announcements.
Public
Definition: Classify information as Public if the information has been made available for public distribution through authorized company channels. Public
information is not sensitive in context or content, and requires no special protection.
Examples: The following are examples of Public information:
Corporate Annual Report
Information specifically generated for public consumption, such as pub-
lic service bulletins, marketing brochures, and advertisements)
TABLE 5.8 (continued) Information Classification Policy: Example 3
TABLE 5.9 Information Classification Policy: Example 4 Information Management
1. General
A. Corporate information includes electronically generated, printed, filmed, typed, or stored.
B. Information is a corporate asset and is the property of Corporation. 2. Information Retention
A. Each organization shall retain information necessary to the conduct of business.
B. Each organizational unit shall establish and administer a records management schedule in compliance with applicable laws and reg- ulations, and professional standards and practices, and be compat- ible with Corporate goals and expectations.
3. Information Protection
A. Information must be protected according to its sensitivity, criticality, and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed.
B. Employees are responsible for protecting corporate information from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. To facilitate the protection of corporate information, employee responsibilities have been estab- lished at three levels: Owner, Custodian, and User.
1) Owner: Company management of the organizational unit where the information is created, or management of the organizational unit that is the primary user of the information. Owners are responsible to:
a) Identify the classification level of all corporate information within their organizational unit,
b) Define appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource, c) Monitor safeguards to ensure they are properly imple-
mented,
d) Authorize access to those who have a business need for the information, and
e) Remove access from those who no longer have a business need for the information.
2) Custodian: Employees designated by the owner to be responsi- ble for maintaining the safeguards established by the owner. 3) User: Employees authorized by the owner to access information
and use the safeguards established by the owner.
litigation. Therefore, every organization should implement a Record Man- agement Policy to provide standards for maintaining complete and accurate records to ensure that employees are aware of what records to keep and for how long, what records to dispose of, and how to dispose of them.
The cost of storage and administration problems involved in retaining material beyond its useful life are a few important reasons to establish a Records Management Policy. Consideration should also be given to the impact that a failure to produce subpoenaed records might have on the organization when defending itself against a lawsuit. Determining the proper retention periods for information records is a requirement in today’s operating environment. Information records should be kept only as long as they serve a useful purpose or until legal requirements are met. At the end of the retention period, records should be destroyed in a verifiable manner. Implementing effective information classification and records management policies makes sound business sense and shows that man- agement is practicing due diligence.
Before drafting a Records Management Policy, consult with your legal staff to ensure that the policy reflects any relevant statutes. The retention standards that support the policy should be reviewed annually when conducting an organizationwide information asset inventory.
C. Each Vice President shall appoint an Organization Information Protection Coordinator who will administer an information protec- tion program that appropriately classifies and protects corporate information under the Vice President’s control and makes employ- ees aware of the importance of information and methods for its protection.
4. Information Classification: To ensure the proper protection of corpo- rate information, the owner shall use a formal review process to classify information into one of the following classifications:
A. Public: Information that has been made available for public distri- bution through authorized company channels. (Refer to Commu- nication Policy for more information.)
B. Confidential: Information that, if disclosed, could violate the privacy of individuals, reduce the company’s competitive advantage, or could cause significant damage to the company.
C. Internal Use: Information that is intended for use by all employees when conducting company business. Most information used in the company would be classified Internal Use.
TABLE 5.9 (continued) Information Classification Policy: Example 4
5.12.1
Sample Records Management Policy
See Table 5.10 for a sample Records Management Policy.