Guidelines for Data Classification
Purpose
The purpose of creating these guidelines is to come up with a framework for classification of data on the basis of the sensitivity level, its value and criticality to Appy Pie as required by Appy Pie’s Information Security Policy. This process of data classification will help in further determination of baseline security controls for data security or protection.
Applies To
The Policy is applicable to the staff and is extended the third-party Agents of Appy Pie as well as any other Appy Pie affiliate who has access to Appy Pie Data. The policy particularly applies to the resources responsible for classification and protection of Appy Pie’s Data, as is specified by the Information Security Roles and Responsibilities
Definitions
Confidential Data is a generic phrase that signifies any and all data which is classified as Restricted, as per the data classification scheme laid out in this policy. It is quite often also referred as sensitive data.
A Data Steward is a designated senior-level employee at Appy Pie who supervises the lifecycle of one or multiple sets of Appy Pie Data.
Appy Pie Data includes all the data owned or licensed by Appy Pie.
Non-public Information is any information that is classified as Private or Restricted Information as per the data classification scheme put forth in the policy.
Sensitive Data is a generic term which signifies any and all data which is classified as Restricted, as per the data classification scheme laid out in this policy. It is quite often also referred as confidential data.
Data Classification
Data classification, in context of information or data security, is the classification of data on the basis of its sensitivity level and the impact it may have on Appy Pie if it were to be divulged, modified or destroyed without sanction or authorization. This process of data classification helps ascertain the appropriate baseline security controls for data protection. All Appy Pie data must be classified into one of three sensitivity levels, or classifications:
A. | Restricted Data |
Only that data should be classified as Restricted, which if disclosed, altered, or destroyed without authorization may cause considerable risk to Appy Pie, its customers, or its affiliates. For example – data protected by state or federal privacy regulations or data protected by confidentiality agreements. Restricted data must be protected by the highest level of security controls. | |
B. | Private Data |
Only that data should be classified as Private, which if disclosed, altered, or destroyed without authorization may cause moderate risk to Appy Pie, its customers, or its affiliates. Any Appy Pie Data that is not explicitly classified as Restricted or Public data should, by default, be considered Private data. Private data must be protected by a reasonable level of security controls. | |
C. | Public Data |
Only that data should be classified as Public, which if disclosed, altered, or destroyed without authorization may cause little or no risk to Appy Pie, its customers, and its affiliates. For example – press releases, educational resources, and case studies. Though little or no controls need to be applied to protect the confidentiality of Public data, still certain level of control must be applied to prevent unauthorized modification or destruction of Public data. |
Data classification must be carried out by a suitable Data Steward. Data Stewards are senior-level employees at Appy Pie who are responsible for overseeing the complete lifecycles of one or multiple sets of Appy Pie Data.
Calculating Classification
The purpose of information security, as mentioned in our Information Security Policy, is to protect the confidentiality, integrity, and availability of Appy Pie Data. Classification of data indicates the level of impact on Appy Pie if there is any compromise of confidentiality, integrity, or availability.
Regrettably, there is no perfect quantitative system for calculating the classification of a particular data element. In some situations, the correct classification may be more evident, such as when federal laws require Appy Pie to protect particular data types (e.g. personally identifiable information). In cases where the suitable classification is not innately evident, consider every security objective as described in the following table. The table below is taken from Federal Information Processing Standards (FIPS) publication 199 published by the National Institute of Standards and Technology, which examines the classification of information and the information systems.
POTENTIAL IMPACT | |||
Security Objective | LOW | MODERATE | HIGH |
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. | The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Integrity Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. | The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
Availability Ensuring timely and reliable access to and use of information. | The disruption of access to or use of information or an information system could be expected to have a limited a diverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. | The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
When the potential impact on Appy Pie goes from Low to High, the data classification needs to become progressively restrictive going from Public to Restricted. In case a suitable classification is still vague after due consideration of the points mentioned above, contact the Information Security Officer for assistance.
Information Type | Data Classification | Confidentiality Impact | Integrity Impact | Availability Impact |
---|---|---|---|---|
Personal Data (Client) | Confidential | High | High | High |
Personal Data (Employee) | Confidential | Low | Mid | Mid |
Financial Data (Clients) | Confidential | High | High | High |
Financial Data (Employees) | Confidential | High | High | High |
Vendor Data | Public | Low | Low | Low |