Skip to main content

Data Classification Policy

Purpose

Classification promotes proper controls for safeguarding the confidentiality of information. Integrity and accuracy must be protected regardless of classification.

Classification Rules

Information must be classified according to the most sensitive detail it includes. Information recorded in several formats, including source documents, electronic records, and reports, must carry the same classification regardless of format.

Classification Levels

LevelDefinitionExamplesRequired handling
ConfidentialHighly sensitive material restricted to those with a legitimate business need. Unauthorized disclosure may violate laws, contracts, or cause significant harm to Core 12, customers, or business partners.Personnel information, key financial information, client customer master data, system access passwordsAccess cleared through the information owner; protect during storage, transfer, use, and disposal.
InternalIntended for unrestricted use within Core 12 and, in some cases, affiliated business partners. Information not explicitly classified as Confidential or Public defaults to Internal.Internal policies, procedures, most internal email, operational guidanceStore in approved systems; do not share externally without authorization or contractual basis.
PublicSpecifically approved for public release by designated authority.Marketing brochures, public website content, published press or social postsMay be disclosed externally after approval.

Information Owner Responsibilities

Information owners determine retention periods, authorize access, specify controls, communicate handling requirements, and report loss or misuse promptly to the Information Security Officer.

Management Repo Use

  • Use asset, service, website, web application, personnel, vendor, and license records in core12-isms-management to record classification and owner.
  • Any record containing Confidential information must have an owner, access-control review date, and next review date.