Information Classification Policy
A responsibility to protect the information Intrepid holds.
A responsibility to protect the information Intrepid holds.
Intrepid has a responsibility to protect the information it holds and processes using controls appropriate to the sensitivity of the information involved.
Information can take many forms including, but not limited to, the following:
Hard copy data held on paper.
Data stored electronically in computer systems.
Communications sent by physical post or using email.
Data stored using electronic media such as USB drives, disks and tapes.
Intrepid maintains inventories of all important information assets upon which it relies. Intrepid recognises that there are risks associated with employees, customers, contractors and other third parties accessing and handling information in order to conduct official organisation business.
Only by classifying information according to a documented scheme can the correct level of protection be applied. This document sets out the details of the scheme to be adopted and the criteria applied in deciding which level of protection to apply to any given information asset.
Adequate handling of assets is fundamental to the correct operation of Intrepid and without it many of the other controls that are in place will not be effective.
This control applies to all systems, people and processes that constitute Intrepid’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Intrepid systems.
Information is defined as:
An asset that, like other important business assets, is essential to an enterprise’s business. It can exist in many forms. It can be printed or written on paper, stored electronically, in structured (document) or unstructured form (computer file), transmitted by post or by using electronic means, shown via multimedia technologies or spoken in conversation.
Information within in electronic form is also referred to as data, the same Information Security policies applies if information referred to as data.
All employees and third parties who will come into contact with our information assets must be aware of this procedure and the necessary arrangements it specifies.
Intrepid Management must ensure that there is effective communication and awareness activity to ensure all employees, contractors and third parties are made aware of these policies.
All Intrepid information, data and/or documents, regardless of classification must have an owner assigned who is accountable for classifying and handling the information appropriately.
Assets associated with information and information processing facilities must be identified and an inventory of these assets be drawn up and maintained.
On creation, all information assets must be assessed and classified by the owner according to their content. The classification will determine how the asset should be protected and who should be allowed access to it.
Any system subsequently allowing access to this information should clearly indicate the classification.
The Intrepid Information Security Classification Scheme requires information assets to be assigned one of the following classifications:
The classes of information are:
Level 0 - Public
Level 1 - Internal
Level 2 - Confidential
Level 3 - Restricted
With the exception of the “Public” classification all information assets must be clearly marked into one of the classifications.
The way the information is handled, published, moved and stored will be dependent on this assignment.
The definitions of these classes of information are described in further detail below. The decision regarding which classification an information asset should fall into is based on the following main criteria:
Legal requirements that must be complied with.
Value to the organisation.
Criticality to the organisation.
Sensitivity to unauthorised disclosure or modification.
These areas are considered in the definitions below.
Descriptor: Information that is not sensitive and can be made public without any implications to Intrepid.
Considerations: Much of the information held by the organisation is freely available to the public via established publication methods. Such items of information have no security classification and will not be marked or assigned a formal owner or inventoried.
It may be necessary however to maintain an awareness of the information that falls within this classification over time as circumstances may change and a need to provide increased protection of previously public information assets may arise.
Protection: Reasonable levels of integrity and availability are required.
Descriptor: Information is restricted to Intrepid employees, contractors or business partners and protected from external access and;
Unauthorised distribution could influence Intrepid’s operational effectiveness, cause minor financial loss, minor reputational issue or minor regulatory sanction.
Considerations: For information that is not published freely by the organisation, some of this may be classified as Internal. This is typically information which is relatively private in nature, either to an individual or to the organisation and, whilst its loss or disclosure is unlikely to result in significant consequences, it would be undesirable.
The criteria for assessing whether information would be classified as Internal include whether its unauthorised disclosure would:
Cause distress to individuals.
Breach proper undertakings to maintain the confidence of information provided by third parties.
Breach statutory restrictions on the disclosure of information.
Cause financial loss or loss of earning potential, or to facilitate improper gain.
Give an unfair advantage to individuals or companies.
Prejudice the investigation or facilitate the commission of crime.
Disadvantage the organisation in commercial negotiations with others.
Most employees of the organisation are likely to handle “Internal” information during the course of their working day.
Protection:
Information integrity is required and;
Access should not be allowed to non-Intrepid personnel.
Descriptor Information collected and used by Intrepid in the conduct of its business and to manage all aspects of the Intrepid corporate strategy and finance and;
Unauthorised distribution could influence Intrepid’s operational effectiveness, cause major financial loss, major reputational issue or major legal sanction.
Considerations: Compromise of this information would be more serious if it were disclosed to unauthorised persons and result in significant embarrassment to the organisation and possibly legal consequences.
The criteria for assessing whether information would be classified as Confidential include whether its unauthorised disclosure would:
Adversely affect relations with other organisations.
Cause substantial distress to individuals.
Cause financial loss or loss of earning potential.
Allow improper gain or advantage for individuals or other organisations.
Prejudice an investigation or facilitate the commission of crime.
Breach proper undertakings to maintain the confidence of information provided by third parties.
Impede the effective development or operation of organisational policies.
Breach statutory restrictions on disclosure of information.
Disadvantage the organisation in commercial or policy negotiations with others.
Undermine the proper management of the organisation and its operations.
Protection:
The highest possible levels of integrity, confidentiality, and restricted availability are mandatory and;
Access is restricted to named groups of individuals.
Descriptor: Compromise of this information that could cause significant loss and impact to Intrepid and;
Unauthorised distribution could influence Intrepid’s operational effectiveness, cause significant financial loss, significant reputational issue or significant legal sanction.
All Client data and information is classified by default as Restricted.
Considerations: The highest level of classification is that of Restricted. This is reserved for information which is highly sensitive and would cause major reputation and financial loss if it were lost or wrongly disclosed.
The criteria for assessing whether information would be classified as Restricted include whether its unauthorised disclosure would:
Materially damage relations with other organisations (i.e. loss of client business).
Prejudice individual security or liberty.
Cause damage to the operational effectiveness or security of the organisation.
Work substantially against organisational finances or economic and commercial interests.
Substantially undermine the financial viability of major organisations.
Impede the investigation or facilitate the commission of serious crime.
Impede seriously the development or operation of organisational policies.
Shut down or otherwise substantially disrupt significant business operations.
Access to information assets defined as “Restricted” will be tightly controlled by senior management and in many cases numbered copies of documents will be distributed according to specific procedures.
Protection:
The highest possible levels of integrity, confidentiality, and restricted availability are mandatory and;
Access is restricted to named individuals.
All Client data and information is classified by default as Restricted.
The classification for all Client data is designated according to the appropriate use within the Company (i.e. Intrepid), not the Client. Hence, information that is classifiable as Internal within the Client should be treated appropriately as Restricted (default) within Intrepid.
Each client engagement must review and classify data consummate with specifics of the information types and contractual deliverables. The classification can change through the lifecycle of a project to reflect the original data, processed data and final data output.
Where a confidentiality agreement exists with partners, clients or perspective clients’ information relevant to the engagement then all classification can be shared. No additional approval is needed.
A correct classification will ensure that only genuinely sensitive information is subject to additional controls. The following points should be considered when assessing the classification to use:
Applying too high a classification can inhibit access, lead to unnecessary and expensive protective controls, and impair the efficiency of the organisation's business.
Applying too low a classification may lead to damaging consequences and compromise of the asset.
The compromise of larger sets of information of the same classification is likely to have a higher impact (particularly in relation to personal data) than that of a single instance. Generally this will not result in a higher classification but may require additional handling arrangements. However, if the accumulation of that data results in a more sensitive asset being created, then a higher classification should be considered.
The sensitivity of an asset may change over time and it may be necessary to reclassify assets. If a document is being de-classified or the marking changed, the file should also be changed to reflect the highest marking within it.