Data Classification Policy
Internal Use
Data Classification Policy
Document Control
| Item | Details |
|---|---|
| Version | 1.1 |
| Cadence | Annual |
| Policy Owner | Chief Information Security Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-1, DCF-3, DCF-13, DCF-20, DCF-21, DCF-22, DCF-28, DCF-29, DCF-30, DCF-32, DCF-38, DCF-39, DCF-40, DCF-45, DCF-46, DCF-48, DCF-49, DCF-51, DCF-52, DCF-55, DCF-56, DCF-57, DCF-68, DCF-76, DCF-77, DCF-78, DCF-79 |
1. PURPOSE AND SCOPE
1.1 Purpose
This policy assists employees and third parties in understanding Dispel’s information labeling and handling guidelines. It defines how data is classified based on sensitivity and impact so that appropriate controls can be applied to protect confidentiality, integrity, and availability.
1.2 Scope
This policy applies to all information that is received, stored, processed, or transmitted by Dispel through any medium, including but not limited to:
- Electronic data (e.g., databases, files, emails, SaaS platforms).
- Hardcopy documents and records.
- Verbal communications where organizational or customer information is discussed.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC2.1, CC2.2, CC8.1 | Supports Trust Services Criteria related to roles and responsibilities, information classification, and change management. |
| 2 | ISO/IEC 27001 | A.5.12, A.5.13, A.5.14 | Supports Annex A controls for information classification and labeling. |
| 3 | NIST SP 800-53 | PL-2, MP-5, MP-6 | Supports planning and media protection controls related to information classification and handling. |
| 4 | IEC 62443 | 62443-2-1.4.3 | Aligns with requirements for classification and handling of industrial/OT information assets. |
| 5 | HIPAA | 164.308(a)(3) | Supports Security Rule implementation specification for workforce security related to access to and handling of ePHI. |
2. POLICY STATEMENTS
2.1 Management Commitment
Management Commitment Statement
Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:
- Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
- Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
- Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
- Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.
2.2 Primary Policy Statement
Dispel SHALL classify information based on its sensitivity and potential impact if compromised, and SHALL apply controls commensurate with that classification to protect confidentiality, integrity, and availability.
2.3 Secondary Policy Statements
At a minimum, Dispel SHALL:
- Require that all data be assigned a classification level (Restricted/Confidential, Internal Use, or Public).
- Maintain labeling and handling requirements appropriate to each classification level.
- Ensure that classification is considered during system design, data onboarding, and vendor selection.
- Align classification and handling practices with related policies such as the Information Security Policy, Data Retention Policy, and Asset Management Policy.
3. REQUIREMENTS
3.1 Data Classification Scheme
Objective: Define a consistent scheme for classifying data and the corresponding controls.
Mandatory Activities:
- All data SHALL be categorized into one of the following levels:
- Restricted/Confidential
- Internal Use
- Public
- Data owners (asset owners) SHALL assign classifications based on the potential impact of unauthorized disclosure, alteration, or destruction.
- Data classification SHALL be reviewed periodically or when business, regulatory, or contractual conditions change.
Required Outputs:
- A current inventory of information assets with assigned classifications.
Security Controls: SOC 2 CC2.x, CC8.1; ISO 27001 A.5.12–A.5.14.
Approval Required: Policy Owner.
3.2 Handling Controls by Classification
Objective: Ensure that handling controls (access, labeling, transmission, storage, destruction) match classification.
Mandatory Activities:
- Restricted/Confidential data SHALL be limited to individuals with a legitimate need-to-know and MUST be protected against loss, theft, unauthorized access, and disclosure.
- Internal Use data SHALL be restricted to personnel with a business need and protected from unauthorized access, modification, and transmission.
- Public data MAY be freely shared but MUST still be protected from unauthorized alteration or destruction.
- Handling and labeling guidelines (e.g., encryption requirements, NDA usage, physical protections) SHALL be followed as defined in this policy and related procedures.
Required Outputs:
- Documented handling standards per classification level.
Security Controls: PL-2, MP-5, MP-6; IEC 62443-2-1.4.3.
Approval Required: Policy Owner, Security Officer.
4. ROLES AND RESPONSIBILITIES
4.1 Policy Owner (e.g., CEO or Delegate)
Responsibilities:
- Owns this Data Classification Policy.
- Reviews and, if necessary, updates the policy at least annually.
- Monitors the number of incidents related to unauthorized access and misclassification as key effectiveness indicators.
4.2 Asset Owners
Responsibilities:
- Classify information assets they own.
- Ensure appropriate labeling, handling, and retention are applied to their assets.
4.3 All Personnel
Responsibilities:
- Follow classification, labeling, and handling rules in everyday work.
- Seek guidance when classification is unclear.
- Report suspected misclassification or handling issues.
5. PROCEDURES
5.1 Classification and Labeling Procedure
| Step | Action | Responsible Party | Timeframe |
|---|---|---|---|
| 1 | Identify the information asset and its business purpose. | Asset Owner | During asset onboarding or major change |
| 2 | Assess potential impact of unauthorized disclosure, alteration, or destruction. | Asset Owner | Same as step 1 |
| 3 | Assign a classification level (Restricted/Confidential, Internal Use, or Public). | Asset Owner | Same as step 1 |
| 4 | Label the information according to its classification (e.g., document headers/footers, email subject, storage media labels). | Asset Owner or Delegates | Within defined operational process |
| 5 | Apply handling controls (encryption, NDAs, transmission rules) as required for the classification. | All Personnel with access | Ongoing |
Additional procedural details (e.g., specific marking formats, label placement, and system-level configuration) MAY be maintained in supporting standards or implementation guides.
6. MONITORING AND COMPLIANCE
6.1 Compliance Monitoring
Compliance with this policy SHALL be monitored through:
- Review of incidents related to unauthorized access or misclassification.
- Periodic audits of information assets and their documented classifications.
- Spot checks of labeling and handling practices.
6.2 Metrics and Reporting
| Metric | Frequency | Owner |
|---|---|---|
| Number of classification-related incidents | Quarterly | Policy Owner / Security Officer |
| Number of misclassified information assets identified in audit | Quarterly | Security / Compliance |
6.3 Non-Compliance Consequences
Non-compliance with this policy may result in:
- Corrective and preventive actions.
- Disciplinary measures up to and including termination.
- Additional technical or procedural remediation.
7. EXCEPTIONS AND WAIVERS
7.1 Exception Process
Exceptions to this policy SHALL:
- Be submitted in writing by the requesting party.
- Include detailed justification and business impact.
- Describe compensating controls or mitigation measures.
- Define exception duration and remediation plan.
7.2 Exception Approval Authority
| Risk Level | Approval Authority |
|---|---|
| Low | Policy Owner |
| Medium | Policy Owner and Security Officer |
| High | Policy Owner, Security Officer, and Compliance Officer |
| Critical | Executive Management |
8. DEFINITIONS
Confidential/Restricted Data: Highly valuable, highly sensitive business data where unauthorized access, alteration, or destruction could cause significant damage to Dispel or its customers (e.g., PHI, PII, data protected by confidentiality agreements).
Internal Use Data: Information originating within or owned by Dispel (or entrusted to it by others) that is not intended for public release and where unauthorized access could cause moderate damage.
Public Data: Information approved for release to the general public with minimal risk if disclosed, though integrity protection is still required.
Instant Messenger: Personal communication channels such as SMS or Apple iMessage, distinct from company chat platforms like Slack or Microsoft Teams.
Remote Access: Access to SaaS provider environments (e.g., Box, Slack, Microsoft 365) rather than traditional on-premises data centers; still requires secure practices such as VPN use on untrusted networks.
9. REFERENCES
9.1 Internal References
- Information Security Policy
- Asset Management Policy
- Data Retention Policy
- Data Deletion Policy
9.2 External References
- SOC 2 Trust Services Criteria
- ISO/IEC 27001 Annex A.5.12–A.5.14
- NIST SP 800-53 (PL and MP families)
- IEC 62443-2-1
- HIPAA Security Rule (45 CFR §164.308)
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2022-01-14 | Ethan Schmertzler | Initial Creation and Approval |
| 1.1 | 2023-01-10 | Ethan Schmertzler | Updated for SaaS-focused language and annual review |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Compliance Officer |
END OF POLICY
APPENDICES
Appendix A: Handling Controls per Data Classification (Summary)
The detailed handling table from the prior version (e.g., NDA usage, encryption, labeling, and transmission requirements per classification and medium) is maintained logically as part of this appendix and may be referenced directly from the Data Classification and Handling Standard.
Appendix B: Steps and Responsibilities for Information Management
| Step | Description | Responsible Role |
|---|---|---|
| 1 | Categorize information assets | Asset Owner |
| 2 | Label information appropriately | Asset Owner |
| 3 | Handle information according to classification and this policy | Personnel with authorized access |
| Version 1.1 |
Explanation of changes
Reviewed for new year. Policy is unchanged.
Creation date Approval date Published date Owner Approver Publisher
January 12, 2025 January 14, 2025 January 14, 2025 Ethan Schmertzler Ethan Schmertzler Ethan Schmertzler