Great American Title Company is hereinafter referred to as "the company."
1.0 Overview
Information assets are assets to the company just like physical property. In order to determine the value of the asset and how it should be handled, data must be classified according to its importance to company operations and the confidentiality of its contents. Once this has been determined, the company can take steps to ensure that data is treated appropriately.
2.0 Purpose
The purpose of this policy is to detail a method for classifying data and to specify how to handle this data once it has been classified.
3.0 Scope
The scope of this policy covers all company data stored on
4.0 Policy
4.1 Data Classification
Data residing on corporate systems must be continually evaluated and classified.
Data Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification, the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format.
4.2 Data Storage
The following guidelines apply to storage of the different types of company data.
4.2.1 Personal
There are no requirements for personal information.
4.2.2 Public
There are no requirements for public information.
4.2.3 Operational
Operational data must be stored where the backup schedule is appropriate to the importance of the data, at the discretion of the user.
4.2.4 Critical
Critical data must be stored on a server that gets the most frequent backups (refer to the Backup Policy for additional information). System- or
4.2.5 Confidential
Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.
4.3 Data Transmission
The following guidelines apply to transmission of the different types of company data.
4.3.1 Personal
There are no requirements for personal information.
4.3.2 Public
There are no requirements for public information.
4.3.3 Operational
No specific requirements apply to transmission of Operational Data, however, as a general rule, the data should not be transmitted unless necessary for business purposes.
4.3.4 Critical
There are no requirements on transmission of critical data, unless the data in question is also considered operational or confidential, in which case the applicable policy statements would apply.
4.3.5 Confidential
Strong passwords must be used when transmitting confidential data, regardless of whether such transmission takes place inside or outside the company's network. Confidential data must not be left on voicemail systems, either inside or outside the company's network, or otherwise recorded.
4.4 Data Destruction
The following guidelines apply to the destruction of the different types of company data.
4.4.1 Personal
There are no requirements for personal information.
4.4.2 Public
There are no requirements for public information.
4.4.3 Operational
4.4.4 Critical
There are no requirements for the destruction of Critical Data, though shredding is encouraged. If the data in question is also considered operational or confidential, the applicable policy statements would apply.
4.4.5 Confidential
Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply:
Paper/documents: shredding is required.
Storage media (CD's, DVD's): physical destruction is required.
Hard Drives/Systems/Mobile Storage Media: physical destruction is required. If physical destruction is not possible, the IT Manager must be notified.
4.5 Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies
may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
5.0 Enforcement
This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
6.0 Definitions
Authentication A security method used to verify the identity of a user and authorize access to a system or network.
Backup To copy data to a second location, solely for the purpose of safe keeping of that data.
Mobile Data Device A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.
7.0 Revision History
Revision 1.0, 10/13/2012