Data Classification Policy

Purpose

Classification promotes proper controls for safeguarding the confidentiality of information. Integrity and accuracy must be protected regardless of classification.

Classification Rules

Information must be classified according to the most sensitive detail it includes. Information recorded in several formats, including source documents, electronic records, and reports, must carry the same classification regardless of format.

Classification Levels

Level	Definition	Examples	Required handling
Confidential	Highly sensitive material restricted to those with a legitimate business need. Unauthorized disclosure may violate laws, contracts, or cause significant harm to Core 12, customers, or business partners.	Personnel information, key financial information, client customer master data, system access passwords	Access cleared through the information owner; protect during storage, transfer, use, and disposal.
Internal	Intended for unrestricted use within Core 12 and, in some cases, affiliated business partners. Information not explicitly classified as Confidential or Public defaults to Internal.	Internal policies, procedures, most internal email, operational guidance	Store in approved systems; do not share externally without authorization or contractual basis.
Public	Specifically approved for public release by designated authority.	Marketing brochures, public website content, published press or social posts	May be disclosed externally after approval.

Information Owner Responsibilities

Information owners determine retention periods, authorize access, specify controls, communicate handling requirements, and report loss or misuse promptly to the Information Security Officer.

Management Repo Use

• Use asset, service, website, web application, personnel, vendor, and license records in core12-isms-management to record classification and owner.
• Any record containing Confidential information must have an owner, access-control review date, and next review date.