Information Sensitivity Policy

Version: 1.00Issue Date: 1/20/2015

This Information Sensitivity Policy specifies how information/data is handled based on its sensitivity classification.

1.0 Overview

This Information Sensitivity Policy will help staff determine how to handle information based on its information sensitivity classification.

2.0 Purpose

This Information Sensitivity Policy is intended to help protect information based on its sensitivity classification. It will define the handling of data based on sensitivity classification for the following:

  • Transmission of electronic data.
  • Storage of electronic data.
  • Storage of printed data.
  • Use of printed data and materials.
  • Who may have access to or handle data of different sensitivity levels based on the individual's security classification level.
  • Minimum security requirements for systems that store or transmit data of different sensitivity levels.
  • What information can or cannot be disclosed to individuals outside the organization and to who.
  • What information is marked, who designated that it must be marked, and how it is marked.
  • How email or mail can or should be used to send information.

3.0 Scope

This Information Sensitivity Policy applies to all data or information whether stored in electronic form, stored in a hard copy, shared verbally, or shared visually. It applies to any data or information stored or used by the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Data - The term data refers to information but is typically used to describe information stored or transmitted in electronic format.
  • Information - The term information refers to knowledge which may be stored in any form, whether printed or in electronic form. Information includes data but data does not include all information.
  • Confidential - Information to be kept secret or private and should not be shared with others unless required by a business function and with authorization.
  • Sensitive - Information, which when released can cause an irritation or problem for one or more individuals or organizations.
  • Private - Information which belongs to an individual or organization and is not publically known.
  • Data owner - The person, organization, or department which either created the data or that the data describes such as name and address.
  • Data custodian - The person, organization, or department with posession of the data. Custodianship may be shared between the business staff and technical staff since business staff use the data and technical staff maintain the equipment that the data is stored on and take actions to keep the data available and secure.

The differences between confidential, sensitive, and private are negligable and somewhat obscure, so the use of more than one of these terms to describe a data class would not be very effective.

5.0 Storage of Electronic Data

Provides requirements for storage of electronic data at various sensitivity levels.

  • Servers that have secret or top secret data stored on them shall comply with the Server Security Policy but additionally employ the use of approved intrusion detection technologies on the server.
  • Any system that stores data at a secret level or higher must have additional security controls than most systems. These controls include intrusion detection, regular security checks, and frequent scans for malware.
  • Information that is classified as top secret shall be encrypted at all times when stored. The encryption technology used shall be of the highest level as specified by the Encryption Policy or associated documents.
  • Individual access controls should be used for accessing data at a confidential level or higher.
  • Before transfering equipment outside the organization or disposing of the equipment, the storage media must be cleaned (reliably erased so it cannot be recovered) according to the Equipment and Media Disposal Policy. This applies to any media storing data classified as confidential or higher. For data classified as secret or top secret, more thorough erasure techniques may be required by the Equipment and Media Disposal Policy.
  • Information that has a confidential level or higher and is stored on mobile devices including mobile computers must be encrypted and handled according to the Mobile Computer Policy and Mobile Device Policy. The encryption technology used shall be of the appropriate level for the data sensitivity classification as specified by the Encryption Policy or associated documents.
  • Backup media should have the same or better security and access controls as the system the data is stored on. Backup media should be handled according to the data sensitivity levels of the highest level of data stored on it.
  • Data with a sensitivity level of confidential or higher shall not be stored or displayed on machines without access controls.
  • Information should not be stored any longer than is required by the business function.
  • Information shall not be stored on a third party network, third party equipment, or equipment that is not managed by the organization without written consent from the organizational security officer. This is in force reguardless of the sensitivity of the data being stored.
  • Information that has a confidential rating or higher shall not be stored on a third party network, third party equipment, or equipment that is not managed by the organization.
  • Data that is categorized as confidential or above shall not be allowed to be posted on a website with unrestricted access.

6.0 Transmission of Electronic Data

Transmission and encryption requirements for inside exchange and outside exchange

  • Any data with a confidential classification level or higher may not be sent outside the organization without a business requirement.
  • Data that has a confidential classification level or higher may not be sent outside the organization without approval by management unless the recipient is covered by a non-disclosure agreement.
  • Data with a secret classification level or higher may only be sent to approved recipients that have a business need for the data and are approved to handle the data at the classification level that they are receiving.
  • Data with a confidential classification level or higher must be sent in an encrypted format according to its sensitivity classification as specified by the Encryption Policy. The policy may specify that top secret data be encrypted with a different protocol or minimum bit length than secret data.
  • Data with a confidential classification level must be sent over private media or be encrypted according to the Encryption Policy.
  • Data sent over the internal network shall not be considered more secure than data sent externally due to the potential presence of malware on client computers.
  • Data that should be sent in a secure manner (encrypted and/over a secure path) includes encryption keys, passwords, security management information, and data that is at a level of confidential or higher, are exchanged only over a secure path. Encryption is required and appropriate physical protection of the carrier if possible according to the Encryption Policy.
  • Information shall not be exchanged using a third party network, third party equipment, or equipment that is not managed by the organization without due consideration of the data sensitivity of the information being exchanged. Any data sent using a third party network, third party equipment, or equipment that is not managed by the organization must be properly encrypted according to the Encryption Policy.

7.0 Storage and Use of Printed Data

  • Data on paper that has a confidential classification level or higher must be shreaded prior to disposal. Data with top secret classification must be shreaded into chunks rather than strips.
  • Data that has a confidential level or higher should be stored in a locked container, cabinet, or drawer.
  • Data that has a secret classification level or higher may only be stored in a locked approved container.
  • Data that has a secret classification level or higher must be checked out. The locked container shall be in the care of a custodian and employees with authorization and need to use the data must check the data into their posession from the data custodian or librarian.
  • Data that has a secret classification level or higher may not be left unattended unless it is locked in an approved container which is approved for that classification level.

8.0 Transportation of Printed or written Data

  • Interoffice mail - Data at a level of confidential or higher may be sent using interoffice mail which is equiped to handle the data securely. The requirements for handling of this data is as follows:
    • The information cannot be dropped off at the interoffice mail office and left on a desk or in an open container. It must be checked in and a representative at the interoffice mail office must sigh for it.
    • The data must always be locked in an approved container for top secret information unless it is in the care of someone that is cleared to handle top secret information.
    • The recipient must sign for the information upon delivery.
    • The person carrying the information must be cleared to handle top secret information.
  • Confidential information may be sent using US Mail but the recipient must sign for the information.
  • Information with a sensitivity classification of secret or higher must be sent using an approved private carrier. The receipt of the document must be shown using a signature by the recipient and the carrier must acknowledge receipt of the document prior to delivery.
  • Confidential or higher level information may not be left unattended in a mail slot.

9.0 Marking of Data

  • The data should be marked with the name of the data owner or data custodian when practical.
  • Generally, data that is at a sensitivity level of confidential or higher should be marked, however, marking the data at levels below secret is at the discretion of the data owner or the data custodian. The data should be marked according to the Data Classification Policy.

10.0 Sharing of Data and Data Access Levels

  • Data should only be shared with approved individuals with a need to know that have a approved security level as high as or higher than the data being viewed or shared.
  • The business owner of the data or the business owner of the system authorizes the granting of access, any changes to current access rights, and removal of access. The principle of least privilege and segregation of duties should be considered when granting access and choosing the level of access.
  • All whiteboards or blackboards should be thoroughly erased if information that is at a sensitivity level of confidential or higher was written on them.
  • Data that is at a sensitivity level of confidential or higher should never be left in view on a table where individuals not approved to view the material are in the area.
  • Prior to sharing data with a sensitivity level of confidential or higher with individuals from a third party organization, a non-disclosure agreement with that organization must be in force.

11.0 Displayed Data

  • Data that is at a sensitivity level of top secret shall not be displayed outside a physically secure area.
  • Data that is at a sensitivity level of confidential or higher shall be displayed so that it cannot be recalled once the window displaying it is closed. Programs used to display the data should not cache the data in memory or allow a user to use a back button on a browser to display it again.
  • Any system that displays or manipulates data at a secret level or higher must have additional security controls than most systems. These controls include intrusion detection, regular security checks, and frequent scans for malware.

12.0 Security Officer

A person familiar with computer security should be designated to perform duties to ensure security. Some of these duties include:

  • An organizational security officer reviews information to be sure it is appropriately classified and secured.
  • The organizational security officer will check to be sure sensitive information is transmitted and stored according to policy. Normally audits of systems and user actions will be used to be sure policy is being followed.

13.0 Other Policies

  • Data Classification Policy - Specifies how data is categorized based on its sensitivity needs.
  • Equipment and Media Disposal Policy
  • Mobile Computer Policy and Mobile Device Policy
  • Encryption Policy

14.0 Enforcement

Since data handling is critical for protecting data stored by the organization to prevent damage, employees that violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

15.0 Other Requirements

  • Additional security, reliability requirements and control measures for systems that store, transmit, or receive sensitive (confidential, secret, or top secret) data should be established. Logical and physical access should be considered.
  • Protection measures for all data must be communicated to stakeholders and users. The measures cover confidentiality, integrity, and availability of data in each sensitivity classification.
  • Each system and project should have a plan to protect data through the lifecycle of the system and project to ensure the data is adequately protected from when it is created to when it is destroyed.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________