Skip to content

Data Classification Policy

Breakout Learning Inc.


Purpose

This policy assists employees and third parties in understanding Breakout Learning Inc’s information labeling and handling guidelines. Sensitivity level definitions are created as guidelines and emphasize common sense steps to protect sensitive or confidential information (e.g., company confidential information should not be left unattended in conference rooms).


Scope

This policy applies to all information owned, managed, controlled, or maintained by Breakout Learning Inc. Information covered includes, but is not limited to, information received, stored, processed, or transmitted via any means, including electronic, hardcopy, and any other form of media.


Roles and Responsibilities

  • CTO
  • Policy Manager
  • Security Team:
    Ensures compliance with the Data Classification Policy throughout the organization and conducts regular audits to verify adherence. They provide training and awareness programs to ensure Data Owners, Data Custodians, and Data Users understand their roles regarding data classification.

Policy

Definitions

  • Confidential/Restricted Data: Data classified as Sensitive or Private according to the data classification scheme defined in this policy.
  • Internal Data: All data owned or licensed by Breakout Learning Inc.
  • Public Information: Information that is available within the public domain.

Data Classification Scheme

Data classification, in the context of information security, categorizes data based on its sensitivity and the impact to Breakout Learning Inc should it be disclosed, altered, or destroyed without authorization. All data should be classified into one of the following three classifications:

Confidential/Restricted Data

Data should be classified as Restricted or Confidential when unauthorized disclosure, alteration, or destruction could cause serious or significant risk to Breakout Learning Inc or its customers. Examples include data protected by state or federal privacy regulations (e.g., PHI, PII) or confidentiality agreements.

Key handling requirements include:

  • Disclosure/access limited to authorized individuals with a legitimate need-to-know.
  • Must be protected from loss, theft, unauthorized access, and unauthorized disclosure.
  • Destruction when no longer needed must follow company policies.
  • Specific methodologies for incident response and handling are required.

Internal Use Data

Data should be classified as Internal Use when unauthorized disclosure, alteration, or destruction could result in a moderate level of risk to Breakout Learning Inc or its customers. This includes proprietary, ethical, or privacy considerations.

Key handling requirements include:

  • Restricted to personnel with legitimate access.
  • Reasonable security controls should be applied to protect this data.

Public Data

Data should be classified as Public when unauthorized disclosure, alteration, or destruction would result in little or no risk to Breakout Learning Inc and its customers.

Key handling requirements include:

  • No specific restrictions on access or usage, but some level of control is required to prevent unauthorized alteration or destruction.

De-identified Data

Breakout Learning Inc will de-identify data to remove personal information from data collected, used, archived, or shared with other organizations. Data sets containing personal information are not considered de-identified.


Assessing Classification Level and Labeling

Data classification reflects the level of impact to Breakout Learning Inc if confidentiality, integrity, or availability is compromised. If a classification is not obvious, consider the following classification levels:

CLASSIFICATION

POTENTIAL IMPACT OF LOSS

RESTRICTED

  • Highly sensitive information
  • Level of protection is dictated externally by legal and/or contractual requirements
  • Must be limited to only authorized employees, contractors, and business partners with a specific business need

SERIOUS DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external to Breakout Learning Inc. 

Impact could include negatively affecting Breakout Learning Inc’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements, and posing an identity theft risk.

CONFIDENTIAL

  • Sensitive information
  • Level of protection is dictated internally by Breakout Learning Inc
  • Must be limited to only authorized employees, contractors, and business partners with a specific business need

SIGNIFICANT DAMAGE would occur if Confidential information were to become available to unauthorized parties either internal or external to Breakout Learning Inc.

Impact could include negatively affecting Breakout Learning Inc’s competitive position, damaging the company’s reputation, violating contractual requirements, and exposing geographic location of individuals.

INTERNAL USE

  • Non-sensitive Information
  • Originating within or owned by Breakout Learning Inc, or entrusted to it by others.
  • May be shared with authorized employees, contractors, and business partners who have a business need, but may not be released to the general public, due to the negative impact it might have on the company’s business interests

MODERATE DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external to Breakout Learning Inc.

Impact could include damaging the company’s reputation and violating contractual requirements.

PUBLIC

  • Information that has been approved for release to the general public
  • Freely shareable both internally and externally

NO DAMAGE would occur if Public information were to become available to parties either internal or external to Breakout Learning Inc.

Impact would not be damaging or a risk to business operations.


Handling Controls per Data Classification

Handling Controls

Restricted

Confidential

Internal Use

Public

Non-Disclosure Agreement (NDA)

Required prior to access by non-Breakout Learning Inc employees

Recommended prior to access by non-Breakout Learning Inc employees

Not Required

Not Required

 

 

 

 

 

Internal Network Transmission (wired & wireless)

  • Encryption Required
  • Instant Messaging Prohibited
  • FTP Prohibited
  • Encryption Recommended
  • Instant Messaging Prohibited
  • FTP Prohibited
  • No Requirements
  • No Requirements

 

 

 

 

 

External Network Transmission (wired & wireless)

  • Encryption Required
  • Instant Messaging Prohibited
  • FTP Prohibited
  • Remote Access if Necessary (only with VPN and two-factor authorization when possible)
  • Encryption Required
  • Instant Messaging Prohibited
  • FTP Prohibited
  • Encryption Recommended
  • Instant Messaging Prohibited
  • FTP Prohibited
  • No special requirements

 

 

 

 

 

Data at Rest (file servers, databases, archives, etc.)

  • Encryption Required
  • Logical Access Controls Required (Limit Unauthorized Use)
  • Physical Access Restricted to Specific Individuals
  • Encryption Recommended
  • Logical Access Controls Required (Limit Unauthorized Use)
  • Physical Access Restricted to Specific groups
  • Encryption Recommended
  • Logical Access Controls Required (Limit Unauthorized Use)
  • Physical Access Restricted to Specific groups
  • Logical Access Controls Required (Limit Unauthorized Use)
  • Physical Access Restricted to Specific groups

 

 

 

 

 

Mobile Devices (iPhone, iPad, USB Drive, etc.)

  • Encryption Required
  • Remote Wipe Enablement Required, if possible
  • Encryption Required
  • Remote Wipe Enablement Required, if possible
  • Encryption Recommended
  • Remote Wipe Enablement Recommended, if possible
  • No Requirements

 

 

 

 

 

Email (with and without attachments)

  • Encryption Required
  • Do Not Forward
  • Encryption Recommended
  • Do not Forward
  • Encryption Recommended
  • Do Not Forward
  • No Requirements

 

 

 

 

 

Physical Mail

  • Mark "Open by Addressee Only"
  • Use Courier or "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings
  • Mark "Open by Addressee Only"
  • Use "Certified Mail" and Sealed, Tamper- Resistant Envelopes for External Mailings
  • Mail with Company Interoffice Mail
  • US Mail or Other Public Delivery Systems
  • No Requirements

 

 

 

 

 


Revision History

Version

Date

Editor

Approver

Description of Changes

1.1

2024/10/01

Nikita Rogatnev

Joshua Oster-Morris

Standardized role titles across all relevant policies, replacing previous variations

1.0

2024/01/01

Joshua Oster-Morris

Jake Shepherd

Initial version