Training Course 1-APPENDIX A

APPENDIX A
Pdf Summary
The "Data Classification and Handling Guidelines" document establishes Oakleaf's information security framework using a four-level data classification scheme: Restricted, Confidential, Private, and Public. It provides detailed definitions, potential business impact from data loss, and specific handling requirements for each classification.

<strong>Data Classifications:</strong>

- <strong>Restricted:</strong> Most sensitive data, including Personally Identifiable Information (PII) and Non-Public Information (NPI) such as loan files, certain contracts, and legal data. Unauthorized disclosure could cause significant damage such as regulatory violations, reputational harm, and legal exposure. Handling requires strict encryption, restricted physical and logical access, prohibits mobile storage/cloud use, encrypted transmissions, and limited printing/scanning/faxing with approvals.

- <strong>Confidential:</strong> Internally classified sensitive business data like employee PII, payroll, financials. Loss causes moderate damage affecting business and contracts. Requires encryption, restricted access, secure cloud storage allowed, encrypted transmission, limited printing and copying with approvals, and recommended NDAs before third-party sharing.

- <strong>Private:</strong> Information owned or entrusted to Oakleaf, shared on a need-to-know basis but not for public release. Minimal or no damage from unauthorized access. Encryption is recommended for storage, especially mobile devices, and remote wipe enabled if possible. Email encryption recommended. Printing and copying have fewer restrictions; NDAs recommended for sharing.

- <strong>Public:</strong> Information releasable to general public with no business risk. No special security controls required, though encryption is recommended for email. No restrictions on printing, copying, faxing, or disposal.

<strong>General Practices:</strong>
Default classification for new data is Private unless otherwise designated. When multiple sensitivities mix, the strictest classification applies. Restricted, Confidential, and Private data cannot be publicly released and require controls when shared with third parties.

<strong>PII/NPI Handling:</strong>
Defined as combination of name plus identifiers like SSN, passport, driver licenses, financial account numbers, and electronic protected health information. These require the highest protection and fall under Restricted or Confidential classifications.

<strong>Handling Examples:</strong>
The document provides explicit controls such as encryption, logical/physical access restrictions, communication protocols, labeling, mailing standards, and disposal methods tailored to each classification level.

<strong>Data Sensitivity Examples:</strong>
It categorizes various data elements such as Social Security numbers, financial accounts, employee records, strategic business information, and IT infrastructure credentials into these classifications, aligning handling to mitigate risk.

<strong>Policy Governance:</strong>
The CISO owns the policy, with CEO approval. Revisions from 2015 to 2016 refined the guidelines to meet audit and compliance standards. References include ISO 27002 and NIST SP 800-53 guidelines.

Overall, Oakleaf's guidelines provide a comprehensive framework to safeguard information by sensitivity level through strict access, handling, and transmission controls to protect business interests, comply with regulations, and manage data responsibly.
Keywords
Data Classification
Information Security
Restricted Data
Confidential Data
Private Data
Public Data
PII Handling
Data Encryption
Access Control
Oakleaf Security Policy