Data Classification Policy
Breakout Learning Inc.
Purpose
This policy assists employees and third parties in understanding Breakout Learning Inc’s information labeling and handling guidelines. Sensitivity level definitions are created as guidelines and emphasize common sense steps to protect sensitive or confidential information (e.g., company confidential information should not be left unattended in conference rooms).
Scope
This policy applies to all information owned, managed, controlled, or maintained by Breakout Learning Inc. Information covered includes, but is not limited to, information received, stored, processed, or transmitted via any means, including electronic, hardcopy, and any other form of media.
Roles and Responsibilities
- CTO
- Policy Manager
- Security Team:
Ensures compliance with the Data Classification Policy throughout the organization and conducts regular audits to verify adherence. They provide training and awareness programs to ensure Data Owners, Data Custodians, and Data Users understand their roles regarding data classification.
Policy
Definitions
- Confidential/Restricted Data: Data classified as Sensitive or Private according to the data classification scheme defined in this policy.
- Internal Data: All data owned or licensed by Breakout Learning Inc.
- Public Information: Information that is available within the public domain.
Data Classification Scheme
Data classification, in the context of information security, categorizes data based on its sensitivity and the impact to Breakout Learning Inc should it be disclosed, altered, or destroyed without authorization. All data should be classified into one of the following three classifications:
Confidential/Restricted Data
Data should be classified as Restricted or Confidential when unauthorized disclosure, alteration, or destruction could cause serious or significant risk to Breakout Learning Inc or its customers. Examples include data protected by state or federal privacy regulations (e.g., PHI, PII) or confidentiality agreements.
Key handling requirements include:
- Disclosure/access limited to authorized individuals with a legitimate need-to-know.
- Must be protected from loss, theft, unauthorized access, and unauthorized disclosure.
- Destruction when no longer needed must follow company policies.
- Specific methodologies for incident response and handling are required.
Internal Use Data
Data should be classified as Internal Use when unauthorized disclosure, alteration, or destruction could result in a moderate level of risk to Breakout Learning Inc or its customers. This includes proprietary, ethical, or privacy considerations.
Key handling requirements include:
- Restricted to personnel with legitimate access.
- Reasonable security controls should be applied to protect this data.
Public Data
Data should be classified as Public when unauthorized disclosure, alteration, or destruction would result in little or no risk to Breakout Learning Inc and its customers.
Key handling requirements include:
- No specific restrictions on access or usage, but some level of control is required to prevent unauthorized alteration or destruction.
De-identified Data
Breakout Learning Inc will de-identify data to remove personal information from data collected, used, archived, or shared with other organizations. Data sets containing personal information are not considered de-identified.
Assessing Classification Level and Labeling
Data classification reflects the level of impact to Breakout Learning Inc if confidentiality, integrity, or availability is compromised. If a classification is not obvious, consider the following classification levels:
CLASSIFICATION |
POTENTIAL IMPACT OF LOSS |
RESTRICTED
|
SERIOUS DAMAGE would occur if Restricted information were to become available to unauthorized parties either internal or external to Breakout Learning Inc. Impact could include negatively affecting Breakout Learning Inc’s competitive position, violating regulatory requirements, damaging the company’s reputation, violating contractual requirements, and posing an identity theft risk. |
CONFIDENTIAL
|
SIGNIFICANT DAMAGE would occur if Confidential information were to become available to unauthorized parties either internal or external to Breakout Learning Inc. Impact could include negatively affecting Breakout Learning Inc’s competitive position, damaging the company’s reputation, violating contractual requirements, and exposing geographic location of individuals. |
INTERNAL USE
|
MODERATE DAMAGE would occur if Internal Use information were to become available to unauthorized parties either internal or external to Breakout Learning Inc. Impact could include damaging the company’s reputation and violating contractual requirements. |
PUBLIC
|
NO DAMAGE would occur if Public information were to become available to parties either internal or external to Breakout Learning Inc. Impact would not be damaging or a risk to business operations. |
Handling Controls per Data Classification
Handling Controls |
Restricted |
Confidential |
Internal Use |
Public |
Non-Disclosure Agreement (NDA) |
Required prior to access by non-Breakout Learning Inc employees |
Recommended prior to access by non-Breakout Learning Inc employees |
Not Required |
Not Required |
|
|
|
|
|
Internal Network Transmission (wired & wireless) |
|
|
|
|
|
|
|
|
|
External Network Transmission (wired & wireless) |
|
|
|
|
|
|
|
|
|
Data at Rest (file servers, databases, archives, etc.) |
|
|
|
|
|
|
|
|
|
Mobile Devices (iPhone, iPad, USB Drive, etc.) |
|
|
|
|
|
|
|
|
|
Email (with and without attachments) |
|
|
|
|
|
|
|
|
|
Physical Mail |
|
|
|
|
|
|
|
|
|
Revision History
Version |
Date |
Editor |
Approver |
Description of Changes |
1.1 |
2024/10/01 |
Nikita Rogatnev |
Joshua Oster-Morris |
Standardized role titles across all relevant policies, replacing previous variations |
1.0 |
2024/01/01 |
Joshua Oster-Morris |
Jake Shepherd |
Initial version |