Data Classification & Access Control Policy

Return to the Client Area

Terminology

  • The Business: The Agency, or any of its other brand names.
  • Employee or member of staff: someone employed to work for the Business, whether as a fully employed person or as a contractor.

1. Policy Statement

  • All Agency employees who come into contact with sensitive Agency internal information are expected to familiarise themselves with this data classification policy and to consistently use these same ideas in their daily Agency business activities.
  • Sensitive information is either Confidential or Restricted information, and both are defined later in this document. Although this policy provides overall guidance, to achieve consistent information protection, The Agency employees are expected to apply and extend these concepts to fit the needs of day-to-day operations.
  • This document provides a conceptual model for The Agency for classifying information based on its sensitivity, and an overview of the required approaches to protect information based on these same sensitivity classifications.
  • Addresses Major Risks: The Agency data classification system, as defined in this document, is based on the concept of need to know. This term means that information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information.
  • This concept, when combined with the policies defined in this document, will protect The Agency’s information from unauthorised disclosure, use, modification, and deletion.
  • Applicable Information: This data classification policy is applicable to all electronic information for which The Agency is the custodian.

2. Procedures

  • Access Control
    • Need to Know: Each of the policy requirements set forth in this document are based on the concept of need to know. If an Agency employee is unclear how the requirements set forth in this policy should be applied to any particular circumstance, he or she must conservatively apply the need to know concept. That is to say that information must be disclosed only to those people who have a legitimate business need for the information.
    • System Access Controls: The proper controls shall be in place to authenticate the identity of users and to validate each user’s authorisation before allowing the user to access information or services on the system.  Data used for authentication shall be protected from unauthorised access.  Controls shall be in place to ensure that only personnel with the proper authorisation and a need to know are granted access to The Agency systems and their resources.  Remote access shall be controlled through identification and authentication mechanisms.
    • Access Granting Decision: Access to The Agency sensitive information must be provided only after the written authorisation of the Data Owner has been obtained.   Custodians of the involved information must refer all requests for access to the relevant Owners or their delegates.  Special needs for other access privileges will be dealt with on a request-by-request basis.  The list of individuals with access to Confidential or Restricted data must be reviewed for accuracy by the relevant Data Owner in accordance with a system review schedule approved by the manager of Information Services.

Review of Access Rights: Employee access rights will be reviewed at commencement of employment, when an employee leaves and at twelve monthly intervals during employment.

  • Information Classification
    • Owners and Production Information: All electronic information managed by The Agency must have a designated Owner. Production information is information routinely used to accomplish business objectives. Owners should be at the Owner level.  Owners are responsible for assigning appropriate sensitivity classifications as defined below. Owners do not legally own the information entrusted to their care. They are instead designated members of The Agency management team who act as stewards, and who supervise the ways in which certain types of information are used and protected.
    • RESTRICTED: This classification applies to the most sensitive business information that is intended for use strictly within The Agency. Its unauthorised disclosure could seriously and adversely impact The Agency, its customers, its business partners, and its suppliers.
    • CONFIDENTIAL: This classification applies to less-sensitive business information that is intended for use within The Agency. Its unauthorised disclosure could adversely impact The Agency or its customers, suppliers, business partners, or employees.
    • PUBLIC: This classification applies to information that has been approved by The Agency management for release to the public. By definition, there is no such thing as unauthorised disclosure of this information, and it may be disseminated without potential harm.
    • Owners and Access Decisions: Data Owners must make decisions about who will be permitted to gain access to information, and the uses to which this information will be put. The Agency must take steps to ensure that appropriate controls are utilised in the storage, handling, distribution, and regular usage of electronic information.

3. Object Reuse and Disposal

Storage media containing sensitive (i.e. restricted or confidential) information shall be completely empty before reassigning that medium to a different user or disposing of it when no longer used.

Simply deleting the data from the media is not sufficient.  A method must be used that completely erases all data. When disposing of media containing data that cannot be completely erased it must be destroyed in a manner approved by the manager of The Agency security.

  • Physical Security
    • Data Centre Access: Access to the data centre is physically restricted in a reasonable and appropriate manner.
    • Facility Access: All network equipment (routers, switches, etc.) and servers located in the corporate office and in all facilities must be secured when no Agency personnel, or authorised contractors, are present.  Physically secured is defined as locked in a location that denies access to unauthorised personnel.

5. Special Considerations for Restricted Information

  • If Restricted information is going to be stored on a personal computer, portable computer, personal digital assistant, or any other single-user system, the system must conform to data access control safeguards approved by The Agency.
  • When these users are not currently accessing or otherwise actively using the restricted information on such a machine, they must not leave the machine without logging off, invoking a password protected screen saver, or otherwise restricting access to the restricted information.
  • Data Encryption Software: The Agency employees and vendors must not install encryption software to encrypt files or folders without the express written consent of The Agency Security.

6. Information Transfer

  • Transmission Over Networks: If The Agency Restricted data is to be transmitted over any external communication network, it must be sent only in encrypted form.
  • Transfer to Another Computer: Before any Restricted information may be transferred from one computer to another, the person making the transfer must ensure that access controls on the destination computer are commensurate with access controls on the originating computer. If comparable security cannot be provided with the destination system’s access controls, then the information must not be transferred.

7. Software Security

  • Secure Storage of object and source code: Object and source code for system software shall be securely stored when not in use by the developer.  Developers must not have access to modify program files that actually run in production.  Unless access is routed through an application interface, no developer shall have more than read access to production data.  Further, any changes to production applications must follow the change management process.
  • Testing: Developers must perform any website changes testing on a separate domain to the client’s main domain.  Final testing must be performed by The Agency management and the client.
  • Actual software development will be carried out on a separate server.
  • Backups: Sensitive data shall be backed up regularly, and the backup media shall be stored in a secure environment.

8. Documents

This document must be read in conjunction with, and forms part of the complete The Agency’s policies and agreements:

  • Your Project Proposal
  • Your Client Agreement
  • Our Terms & Conditions
  • Our Operating System & Browser Policy
  • This Secure Password Policy
  • Our Information Security Policy
  • Our Service Level Agreement
  • Our UK GDPR Policy

This document was last updated in May 2022

Page Contents

Latest Articles

What Is Professional Web Design?

New Small Business Website Starter Package

Are You GDPR Ready?

View Our 
Our UK GDPR Policy

This site uses cookies; small text files that are placed on your device to help the site provide a better user experience. No personal information is collected.