Great American Title Company is hereinafter referred to as "the company."

1.0 Overview

Information assets are assets to the company just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to company operations and the confidentiality of its contents. Once this has been determined, the company can take steps to ensure that data is treated appropriately.

2.0 Purpose

The purpose of this policy is to detail a method for classifying data and to specify how to handle this data once it has been classified.

3.0 Scope

The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Also covered by the policy are hardcopies of company data, such as printouts, faxes, notes, etc.

4.0 Policy

4.1 Data Classification

Data residing on corporate systems must be continually evaluated and classified.

Data Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification, the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format.

4.2 Data Storage

The following guidelines apply to storage of the different types of company data.

4.2.1 Personal

There are no requirements for personal information.

4.2.2 Public

There are no requirements for public information.

4.2.3 Operational

Operational data must be stored where the backup schedule is appropriate to the importance of the data, at the discretion of the user.

4.2.4 Critical

Critical data must be stored on a server that gets the most frequent backups (refer to the Backup Policy for additional information). System- or disk-level redundancy is required.

4.2.5 Confidential

Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.

4.3 Data Transmission

The following guidelines apply to transmission of the different types of company data.

4.3.1 Personal

There are no requirements for personal information.

4.3.2 Public

There are no requirements for public information.

4.3.3 Operational

No specific requirements apply to transmission of Operational Data, however, as a general rule, the data should not be transmitted unless necessary for business purposes.

4.3.4 Critical

There are no requirements on transmission of critical data, unless the data in question is also considered operational or confidential, in which case the applicable policy statements would apply.

4.3.5 Confidential

Strong passwords must be used when transmitting confidential data, regardless of whether such transmission takes place inside or outside the company's network. Confidential data must not be left on voicemail systems, either inside or outside the company's network, or otherwise recorded.

4.4 Data Destruction

The following guidelines apply to the destruction of the different types of company data.

4.4.1 Personal

There are no requirements for personal information.

4.4.2 Public

There are no requirements for public information.

4.4.3 Operational

Cross-cut shredding is required for documents. Storage media should be appropriately sanitized/wiped or destroyed.

4.4.4 Critical

There are no requirements for the destruction of Critical Data, though shredding is encouraged. If the data in question is also considered operational or confidential, the applicable policy statements would apply.

4.4.5 Confidential

Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply:

Paper/documents: shredding is required.

Storage media (CD's, DVD's): physical destruction is required.

Hard Drives/Systems/Mobile Storage Media: physical destruction is required. If physical destruction is not possible, the IT Manager must be notified.

4.5 Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies

may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

5.0 Enforcement

This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

6.0 Definitions

Authentication A security method used to verify the identity of a user and authorize access to a system or network.

Backup To copy data to a second location, solely for the purpose of safe keeping of that data.

Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.

Two-Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

7.0 Revision History

Revision 1.0, 10/13/2012