04. Healthsafe Info Classification and Labelling Policy







INFORMATION CLASSIFICATION &

LABELLING POLICY







Document Identification 

HSNZ/POL/04

Document Name

Information Classification & Labelling Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director



 

 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

21 Jun 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

27 July 2022 

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023

Annual review


DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

18 Jun 2021

Reviewed

27 Jul 2022

Reviewed

15 Aug 2023

Current


Table of Contents

  1. Purpose
  2. Scope
  3. Abbreviations, Acronyms and Definitions
  4. Input
  5. Output
  6. Interacting Process
  7. Procedure
  8. Monitoring the Process
  9. Records



  • PURPOSE

To ensure that the documents required by the ISMS should be protected and controlled as per the procedures given for HealthSafe NZ.


  • SCOPE

Applicable to data, documents and records dealt by HealthSafe


  • ABBREVIATIONS, ACRONYMS AND DEFINITIONS

Abbreviation

Description

IT

Information Technology Department

TL/PM

Team Lead / Project Manager

FH

Functional Head

CISO

Chief Information Security Officer


4 INPUT


Data Classification


5 OUTPUT


Data Protection based on level of classification


6 INTERACTING PROCESS


CISO, FH, IT, TL & GM


7 PROCEDURE


Information will be classified based on the level of protection required.


Public - Non-sensitive information available for external release.


Internal – Internal Information that is generally available to employees.


Confidential (Sensitive) – Information that is sensitive within HealthSafe NZ and is intended for use only by specified groups of employees.


CRITERIA

PUBLIC

Internal

CONFIDENTIAL

Description

Non-sensitive information available for external release.

Information that is only sensitive outside HealthSafe NZ. Generally available to employees.

Information that is sensitive within the HealthSafe NZ, and is intended for business use only by specific groups of employees.

Examples

Annual reports, HealthSafe NZ Web sites, Public circulars and publications

Internal Circulars/ Memorandums, Policies, Procedures, guidelines, work instructions, and records

Customer information, Employee personal information, budgets, business plan & strategic reports, assessment reports, cryptographic keys, etc

Impact of Unauthorised Disclosure

No adverse impact on unauthorised disclosure.

Limited adverse impact. May damage the image of the HealthSafe NZ

Significant adverse impact, may adversely affect HealthSafe NZ, its employees, its clients or customers. Damage the reputation of  HealthSafe NZ

Access Restrictions

Accessible to all the employees and public if required

Access normally permitted to intended employees and denied to public. Access by external parties must be subject to a non- disclosure agreement.

Access must be limited to the specified and authorised employees only. Access must only be granted on a business need to know. Access by external parties must be subject to a non- disclosure agreement.

Storage of Information

No security is required

Department storage should be adequate to prevent casual disclosure

Information to be encrypted in order to provide extra protection to the data. Media must be kept in a secured environment under lock and key.

Labelling of Information

Labelling not required

Must be labelled as INTERNAL of all documents both soft copies and hard copies of data

Each page must be marked as CONFIDENTIAL of all documents both soft copies and hard copies of data.

Disposal of Information

Removal of Directory entry for file

Removal of Directory entry for file

In addition to removing the directory entry for the file, the space used by the file must be over-written using approved means. Hard copies must be shredded.


INFORMATION CLASSIFICATION AND LABELLING


Public

  • General information and organisational brochures should be considered as public.
  • Information pertaining to HealthSafe NZ which is available on www domain could be accessed by anyone.
  • Public information should be made available through Internet/E-mails.
  • Hard/Softcopies with no label should be considered as “Public”.
  • Hard copies of the “Public” documents should not be stamped.

Internal


  • All information of proprietary nature - procedures, operational work routines, project plans, designs and specifications that define the way in which HealthSafe operates should be considered as “Internal”.
  • Access to information labelled “Internal” should be given to authorised persons with a business need to know and is for circulation within the organisation.
  • Internal Information/Data should be made available through Intranet/ E-mails to employees and to third party personnel with a business need to know.
  • Media containing obsolete Internal information/data should be destroyed/ formatted. Information asset owner should initiate the disposal.
  • Information needing to be shared externally for the use of a project proposal/tender should use the Gmail Confidential Mode to restrict downloading, forwarding, or printing of any sensitive information when applicable.

Confidential

  • All information regarding Business, financial, Trade secrets, marketing, operational, technical and customer /client information should be considered as “Confidential”.
  • Access to information labelled “Confidential” should be given to authorised persons with a business need to know and relevant level of physical and logical access should be provided.
  • Confidential Information/Data should be made available through Secure FTP/Email/Electronic file transmission systems.
  • Media containing “Confidential” information/data which is no longer required should be destroyed/ formatted. Information asset owner should initiate the disposal.
  • Information needing to be shared externally for the use of a project proposal/tender should use the Gmail Confidential Mode to restrict downloading, forwarding, or printing of any sensitive information when applicable.

INFORMATION LABELING AND HANDLING


Handling, processing, storing, and communicating information consistent with its classification are:

  • All the templates will be labelled as internal, where labelling is not in our control physical labelling may not be possible, but they are classified into three categories and should be understood.
  • The distribution of data should keep to a minimum and should be accessible to authorised persons who require them for business needs.
  • System documentation should be stored securely.
  • Automatic forwarding of electronic mail to external mail addresses should not be allowed;
  • Messages containing sensitive information should not be left on voice mail since these may be replayed by unauthorised persons, stored on communal systems or stored incorrectly as a result of misdialing




Labelling the Classified Information


Label both physically and electronically stored information as stated in the above table to ensure that the information is handled according to the HealthSafe NZ rules;



  • Electronic labelling for computer-based information needs to be done according to the labelling guidelines as shown in the above table. This could be at the folder level for sensitive and confidential information;

Storing and Handling Classified Information


  • Highly confidential information, which has not been transported safely or destroyed securely, may be disclosed in the public domain, resulting in the damage of HealthSafe NZ reputation. So, whenever the use of information/data is completed, destroy the data or save the data in a secured location; 

  • Confidential information may retain its original classification when it should have been reclassified to a higher level of confidentiality. This may result in loss of the information due to its storage in an inappropriate location (physical or electronic).

  • For storing and disposal of data needs to be done according to the guidelines as shown in the above table.

8 MONITORING THE PROCESS


  • Data Classification Method 

9 RECORDS


  • Master List of Documents