Level 2 Supporting Policies
      Back to home
      1. HealthSafe Help Center
      2. HS ISO27001 Documents
      3. Level 2 Supporting Policies

      04. Healthsafe Info Classification and Labelling Policy







      INFORMATION CLASSIFICATION &

      LABELLING POLICY







      Document Identification 

      HSNZ/POL/04

      Document Name

      Information Classification & Labelling Policy

      Master Copy

      CISO

      Version Number

      1.3

      Date Of Release 

      15 Aug 2023

      Prepared By

      Eparama Tuibenau

      CISO

      Approved by

      Kevin McAfee

      Managing Director


       

       


      VERSION HISTORY


      Sl No

      Version No.

      Prepared by

      Approved by

      Description of Version

      Date

      Reason for Version Change

      From

      To

      1

      1.0

      -

      CISO

      MD

      First Release

      14 Apr 2020 

      No changes made

      1

      1.0

      1.1

      CISO

      MD

      Updated

      21 Jun 2021 

      Modifications due to changes in HealthSafe

      1

      1.1

      1.2

      CISO

      MD

      Reviewed

      27 July 2022 

      Annual review

      1

      1.2

      1.3

      CISO

      MD

      Reviewed

      15 Aug 2023

      Annual review

      DOCUMENT STATUS


      Date

      Document Status

      14 Apr 2020

      Modified

      18 Jun 2021

      Reviewed

      27 Jul 2022

      Reviewed

      15 Aug 2023

      Current

      Table of Contents

      1. Purpose
      2. Scope
      3. Abbreviations, Acronyms and Definitions
      4. Input
      5. Output
      6. Interacting Process
      7. Procedure
      8. Monitoring the Process
      9. Records



      • PURPOSE

      To ensure that the documents required by the ISMS should be protected and controlled as per the procedures given for HealthSafe NZ.


      • SCOPE

      Applicable to data, documents and records dealt by HealthSafe


      • ABBREVIATIONS, ACRONYMS AND DEFINITIONS

      Abbreviation

      Description

      IT

      Information Technology Department

      TL/PM

      Team Lead / Project Manager

      FH

      Functional Head

      CISO

      Chief Information Security Officer

      4 INPUT


      Data Classification


      5 OUTPUT


      Data Protection based on level of classification


      6 INTERACTING PROCESS


      CISO, FH, IT, TL & GM


      7 PROCEDURE


      Information will be classified based on the level of protection required.


      Public - Non-sensitive information available for external release.


      Internal – Internal Information that is generally available to employees.


      Confidential (Sensitive) – Information that is sensitive within HealthSafe NZ and is intended for use only by specified groups of employees.


      CRITERIA

      PUBLIC

      Internal

      CONFIDENTIAL

      Description

      Non-sensitive information available for external release.

      Information that is only sensitive outside HealthSafe NZ. Generally available to employees.

      Information that is sensitive within the HealthSafe NZ, and is intended for business use only by specific groups of employees.

      Examples

      Annual reports, HealthSafe NZ Web sites, Public circulars and publications

      Internal Circulars/ Memorandums, Policies, Procedures, guidelines, work instructions, and records

      Customer information, Employee personal information, budgets, business plan & strategic reports, assessment reports, cryptographic keys, etc

      Impact of Unauthorised Disclosure

      No adverse impact on unauthorised disclosure.

      Limited adverse impact. May damage the image of the HealthSafe NZ

      Significant adverse impact, may adversely affect HealthSafe NZ, its employees, its clients or customers. Damage the reputation of  HealthSafe NZ

      Access Restrictions

      Accessible to all the employees and public if required

      Access normally permitted to intended employees and denied to public. Access by external parties must be subject to a non- disclosure agreement.

      Access must be limited to the specified and authorised employees only. Access must only be granted on a business need to know. Access by external parties must be subject to a non- disclosure agreement.

      Storage of Information

      No security is required

      Department storage should be adequate to prevent casual disclosure

      Information to be encrypted in order to provide extra protection to the data. Media must be kept in a secured environment under lock and key.

      Labelling of Information

      Labelling not required

      Must be labelled as INTERNAL of all documents both soft copies and hard copies of data

      Each page must be marked as CONFIDENTIAL of all documents both soft copies and hard copies of data.

      Disposal of Information

      Removal of Directory entry for file

      Removal of Directory entry for file

      In addition to removing the directory entry for the file, the space used by the file must be over-written using approved means. Hard copies must be shredded.

      INFORMATION CLASSIFICATION AND LABELLING


      Public

      • General information and organisational brochures should be considered as public.
      • Information pertaining to HealthSafe NZ which is available on www domain could be accessed by anyone.
      • Public information should be made available through Internet/E-mails.
      • Hard/Softcopies with no label should be considered as “Public”.
      • Hard copies of the “Public” documents should not be stamped.

      Internal


      • All information of proprietary nature - procedures, operational work routines, project plans, designs and specifications that define the way in which HealthSafe operates should be considered as “Internal”.
      • Access to information labelled “Internal” should be given to authorised persons with a business need to know and is for circulation within the organisation.
      • Internal Information/Data should be made available through Intranet/ E-mails to employees and to third party personnel with a business need to know.
      • Media containing obsolete Internal information/data should be destroyed/ formatted. Information asset owner should initiate the disposal.
      • Information needing to be shared externally for the use of a project proposal/tender should use the Gmail Confidential Mode to restrict downloading, forwarding, or printing of any sensitive information when applicable.

      Confidential

      • All information regarding Business, financial, Trade secrets, marketing, operational, technical and customer /client information should be considered as “Confidential”.
      • Access to information labelled “Confidential” should be given to authorised persons with a business need to know and relevant level of physical and logical access should be provided.
      • Confidential Information/Data should be made available through Secure FTP/Email/Electronic file transmission systems.
      • Media containing “Confidential” information/data which is no longer required should be destroyed/ formatted. Information asset owner should initiate the disposal.
      • Information needing to be shared externally for the use of a project proposal/tender should use the Gmail Confidential Mode to restrict downloading, forwarding, or printing of any sensitive information when applicable.

      INFORMATION LABELING AND HANDLING


      Handling, processing, storing, and communicating information consistent with its classification are:

      • All the templates will be labelled as internal, where labelling is not in our control physical labelling may not be possible, but they are classified into three categories and should be understood.
      • The distribution of data should keep to a minimum and should be accessible to authorised persons who require them for business needs.
      • System documentation should be stored securely.
      • Automatic forwarding of electronic mail to external mail addresses should not be allowed;
      • Messages containing sensitive information should not be left on voice mail since these may be replayed by unauthorised persons, stored on communal systems or stored incorrectly as a result of misdialing




      Labelling the Classified Information


      Label both physically and electronically stored information as stated in the above table to ensure that the information is handled according to the HealthSafe NZ rules;



      • Electronic labelling for computer-based information needs to be done according to the labelling guidelines as shown in the above table. This could be at the folder level for sensitive and confidential information;

      Storing and Handling Classified Information


      • Highly confidential information, which has not been transported safely or destroyed securely, may be disclosed in the public domain, resulting in the damage of HealthSafe NZ reputation. So, whenever the use of information/data is completed, destroy the data or save the data in a secured location; 

      • Confidential information may retain its original classification when it should have been reclassified to a higher level of confidentiality. This may result in loss of the information due to its storage in an inappropriate location (physical or electronic).

      • For storing and disposal of data needs to be done according to the guidelines as shown in the above table.

      8 MONITORING THE PROCESS


      • Data Classification Method 

      9 RECORDS


      • Master List of Documents