INFORMATION CLASSIFICATION &
LABELLING POLICY
Document Identification |
HSNZ/POL/04 |
|
Document Name |
Information Classification & Labelling Policy |
|
Master Copy |
CISO |
|
Version Number |
1.3 |
|
Date Of Release |
15 Aug 2023 |
|
Prepared By |
Eparama Tuibenau |
CISO |
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
From |
To |
||||||
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
21 Jun 2021 |
Modifications due to changes in HealthSafe |
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
27 July 2022 |
Annual review |
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
Date |
Document Status |
14 Apr 2020 |
Modified |
18 Jun 2021 |
Reviewed |
27 Jul 2022 |
Reviewed |
15 Aug 2023 |
Current |
Table of Contents
- Purpose
- Scope
- Abbreviations, Acronyms and Definitions
- Input
- Output
- Interacting Process
- Procedure
- Monitoring the Process
- Records
- PURPOSE
To ensure that the documents required by the ISMS should be protected and controlled as per the procedures given for HealthSafe NZ.
- SCOPE
Applicable to data, documents and records dealt by HealthSafe
- ABBREVIATIONS, ACRONYMS AND DEFINITIONS
Abbreviation |
Description |
IT |
Information Technology Department |
TL/PM |
Team Lead / Project Manager |
FH |
Functional Head |
CISO |
Chief Information Security Officer |
4 INPUT
Data Classification
5 OUTPUT
Data Protection based on level of classification
6 INTERACTING PROCESS
CISO, FH, IT, TL & GM
7 PROCEDURE
Information will be classified based on the level of protection required.
Public - Non-sensitive information available for external release.
Internal – Internal Information that is generally available to employees.
Confidential (Sensitive) – Information that is sensitive within HealthSafe NZ and is intended for use only by specified groups of employees.
CRITERIA |
PUBLIC |
Internal |
CONFIDENTIAL |
Description |
Non-sensitive information available for external release. |
Information that is only sensitive outside HealthSafe NZ. Generally available to employees. |
Information that is sensitive within the HealthSafe NZ, and is intended for business use only by specific groups of employees. |
Examples |
Annual reports, HealthSafe NZ Web sites, Public circulars and publications |
Internal Circulars/ Memorandums, Policies, Procedures, guidelines, work instructions, and records |
Customer information, Employee personal information, budgets, business plan & strategic reports, assessment reports, cryptographic keys, etc |
Impact of Unauthorised Disclosure |
No adverse impact on unauthorised disclosure. |
Limited adverse impact. May damage the image of the HealthSafe NZ |
Significant adverse impact, may adversely affect HealthSafe NZ, its employees, its clients or customers. Damage the reputation of HealthSafe NZ |
Access Restrictions |
Accessible to all the employees and public if required |
Access normally permitted to intended employees and denied to public. Access by external parties must be subject to a non- disclosure agreement. |
Access must be limited to the specified and authorised employees only. Access must only be granted on a business need to know. Access by external parties must be subject to a non- disclosure agreement. |
Storage of Information |
No security is required |
Department storage should be adequate to prevent casual disclosure |
Information to be encrypted in order to provide extra protection to the data. Media must be kept in a secured environment under lock and key. |
Labelling of Information |
Labelling not required |
Must be labelled as INTERNAL of all documents both soft copies and hard copies of data |
Each page must be marked as CONFIDENTIAL of all documents both soft copies and hard copies of data. |
Disposal of Information |
Removal of Directory entry for file |
Removal of Directory entry for file |
In addition to removing the directory entry for the file, the space used by the file must be over-written using approved means. Hard copies must be shredded. |
INFORMATION CLASSIFICATION AND LABELLING
Public
- General information and organisational brochures should be considered as public.
- Information pertaining to HealthSafe NZ which is available on www domain could be accessed by anyone.
- Public information should be made available through Internet/E-mails.
- Hard/Softcopies with no label should be considered as “Public”.
- Hard copies of the “Public” documents should not be stamped.
Internal
- All information of proprietary nature - procedures, operational work routines, project plans, designs and specifications that define the way in which HealthSafe operates should be considered as “Internal”.
- Access to information labelled “Internal” should be given to authorised persons with a business need to know and is for circulation within the organisation.
- Internal Information/Data should be made available through Intranet/ E-mails to employees and to third party personnel with a business need to know.
- Media containing obsolete Internal information/data should be destroyed/ formatted. Information asset owner should initiate the disposal.
- Information needing to be shared externally for the use of a project proposal/tender should use the Gmail Confidential Mode to restrict downloading, forwarding, or printing of any sensitive information when applicable.
Confidential
- All information regarding Business, financial, Trade secrets, marketing, operational, technical and customer /client information should be considered as “Confidential”.
- Access to information labelled “Confidential” should be given to authorised persons with a business need to know and relevant level of physical and logical access should be provided.
- Confidential Information/Data should be made available through Secure FTP/Email/Electronic file transmission systems.
- Media containing “Confidential” information/data which is no longer required should be destroyed/ formatted. Information asset owner should initiate the disposal.
- Information needing to be shared externally for the use of a project proposal/tender should use the Gmail Confidential Mode to restrict downloading, forwarding, or printing of any sensitive information when applicable.
INFORMATION LABELING AND HANDLING
Handling, processing, storing, and communicating information consistent with its classification are:
- All the templates will be labelled as internal, where labelling is not in our control physical labelling may not be possible, but they are classified into three categories and should be understood.
- The distribution of data should keep to a minimum and should be accessible to authorised persons who require them for business needs.
- System documentation should be stored securely.
- Automatic forwarding of electronic mail to external mail addresses should not be allowed;
- Messages containing sensitive information should not be left on voice mail since these may be replayed by unauthorised persons, stored on communal systems or stored incorrectly as a result of misdialing
Labelling the Classified Information
Label both physically and electronically stored information as stated in the above table to ensure that the information is handled according to the HealthSafe NZ rules;
- Electronic labelling for computer-based information needs to be done according to the labelling guidelines as shown in the above table. This could be at the folder level for sensitive and confidential information;
Storing and Handling Classified Information
- Highly confidential information, which has not been transported safely or destroyed securely, may be disclosed in the public domain, resulting in the damage of HealthSafe NZ reputation. So, whenever the use of information/data is completed, destroy the data or save the data in a secured location;
- Confidential information may retain its original classification when it should have been reclassified to a higher level of confidentiality. This may result in loss of the information due to its storage in an inappropriate location (physical or electronic).
- For storing and disposal of data needs to be done according to the guidelines as shown in the above table.
8 MONITORING THE PROCESS
- Data Classification Method
9 RECORDS
- Master List of Documents