A method for classifying information resources is essential in order to determine appropriate controls based on the relative business value or sensitivity to disclosure of those assets. The information classification assists in determining how the information will be handled and protected during storage, transmission, use, and when shared or disposed of, both print and electronically stored, based on the sensitivity of the data.

Breezy provides and maintains its information technology resources for the primary purpose of conducting Breezy business. These systems are to be used in a professional, responsible, ethical, and legal manner at all times. All information stored, transmitted, used, shared, or disposed of is the property of Breezy and does not belong to the individual using the data. Information classification provides a common understanding of the level of protection a specific information resource requires. This policy extends to third-party information retained or handled during Breezy business operations. Improper handling of information can result in serious financial loss, compromise of employee or business partner data, or loss of public trust.

By default, all unmarked or unclassified information should be considered “Sensitive” until the owner of the information determines further classification.

Open

Information marked as OPEN should have no serious or detrimental effect on an organization in the event of its unauthorized or accidental disclosure or its loss. Consider whether you are comfortable with all of your personnel, your clients, and your competitors seeing this information before using this classification.

Examples of information that may be classified as OPEN include, but are not limited to, press releases, white papers and research documents, certain policies and processes, and any other information openly shared with all employees, clients, and competitors.

Information within this category is unlikely to require encryption due to its nature and, therefore, will not be subject to the Breezy Cryptographic Control Policy.

Sensitive

Information marked as SENSITIVE should be restricted to personnel within the organization itself and trusted external individuals or organizations. Typically the external elements should be under a contractual obligation of a Non-Disclosure Agreement (NDA) to protect this information type and understand how it is to be protected.

Examples of information classified as SENSITIVE include, but are not limited to, service reports, performance data, certain contractual agreements, most policies and processes, company strategies and plans, details of forthcoming changes to products and services, and any other information that should not be shared with the entire client base or a competitor.

Information within this category may require encryption, dependent on the information in the Information Classification and Handling Policy, and therefore may be subject to the Breezy Cryptographic Control Policy.

Confidential

Information marked as CONFIDENTIAL should be restricted to personnel within the organization or the owners of the information. Personnel will need specific training and contractual clauses in their employment terms and conditions to enforce non-disclosure of material outside of the organization.

Examples of information classified as CONFIDENTIAL include, but are not limited to, financial budgets and reports, and any other information not readily shared with clients, suppliers, or anyone else outside of the organization.

Information within this category requires encryption and is therefore subject to the Breezy Cryptographic Control Policy.

Secret

Information marked as SECRET should be restricted to personnel within the organization or the owners of the information. Any external recipient of secret information should be under a contractual obligation of a Non-Disclosure Agreement (NDA) to protect this information type and understand how it is to be protected. Personnel will need specific training and contractual clauses in their employment terms and conditions to enforce non-disclosure of material outside of the contracted organizations.

Examples of information classified as SECRET include remuneration, payroll and benefits details, user personally identifiable information (PII) and records in Software as a Service (SaaS) and managed hosting products, and any other information not “common knowledge” amongst the workforce.

Information within this category requires encryption and is therefore subject to the Breezy Cryptographic Control Policy.

Principles of Data Access

Access should only be provided to those who have a legitimate and justified information access need. Even if an individual holds an appropriate security clearance, clearance alone does not give automatic access to information of a corresponding classification: the information asset owner needs to grant and remove access based on validated requirements.

New employees will have only the most basic access to information and IT facilities, which can then be modified based upon their progression or increased responsibilities in their careers. When an employee changes position or department, their access rights will be reviewed and adjusted accordingly. Employees who leave the company will have all their access rights revoked immediately.

Further information is given in the Access Control Policy.

Information Handling

	Open	Sensitive	Confidential	Secret
Photocopying	No restricitions	With care, collect promptly	With care, collect promptly	With care, collect promptly
Transmission by Fax	Ensure fax confirmation is obtained	Contact recipient to confirm receipt	Prohibited	Prohibited
Sending by Post or Courier	No restrictions	Single envelope, marked with recipient’s details	Signed-for service only. Double envelope, inner one marked appropriately.	Signed-for service only. Double envelope, inner one marked. Check for signs of tampering.
Transmitting by Email	No restrictions	NDA for external: consider encryption	NDA for external: preference for encryption	NDA for external: compulsory encryption
Transmitting Over the Internet	No restrictions	NDA for external: consider encryption	NDA for external: preference for encryption	NDA for external: compulsory encryption
Access on Mobile Devices in Public Places	Care to avoid possible eavesdropping	Not recommend, avoid if possible	Prohibited	Prohibited
Information when Traveling	Care should be taken	Care should be taken - documents and equipment not to be unattended	Extra care should be taken. Carry on person; only leave data in properly secured storage.	Extra care should be taken. Carry on person; only leave data in properly secured storage.
Printing of Information	No restrictions	With care, only to printer in immediate vicinity and collect or destroy promptly post use.	With care, only to printer in immediate vicinity and collect or destroy promptly post use.	With care, only to printer in immediate vicinity and collect or destroy promptly post use.
Storage of Info in Printed Form	No restrictions	Dependent on specific content	Locked drawer, filing cabinet, or safe	Locked drawer, filing cabinet, or safe
Disposal of Info in Printed Form	Recycling	Shredding	Shredding (cross-cut)	Shredding (cross-cut)
Reporting Loss, Theft, or Compromise	Not required	Raise an Information Security Incident	Raise an Information Security Incident	Raise an Information Security Incident
Disposal, Recycling, and Reuse of Magnetic or Flash Storage	Delete all data	Use a DOE compliant 3 pass (or higher) deletion method in MacOS Disk Utility prior to disposal, recycling, or reuse.	Use a DOE compliant 3 pass (or higher) deletion method in MacOS Disk Utility prior to disposal, recycling, or reuse.	Use a DOE compliant 3 pass (or higher) deletion method in MacOS Disk Utility prior to disposal, recycling, or reuse.

Data Storage and Classification

ll critical business information and critical software on Breezy information resources must be periodically backed up. Business/Asset owners are responsible for identifying backup schedules and for determining the scope of information to be backed up. Users are responsible for backing up any critical files.

Retention of old, outdated, or incorrect information can cause business complications and confusion and places Breezy at risk for liabilities if the information is inadvertently disclosed. Therefore, Breezy employees should not retain data that is no longer relevant to Breezy business operations, unless retention is required for some other reason (such as financial information for audits or legal obligation via contractual obligation).

For additional guidance on data storage, please refer to the Breezy HR Information Backup Policy.